Last night, the Internet learned that Patreon fired their entire security team, abruptly.
We also learned that the primary motivation was outsourcing.
People digging into this story have also reported that Patreon has also been cutting their security vendors for months and there was no clear motivation for the layoffs.
InfoSec Twitter’s response to this news was overall measured and appropriate given past experience with dysfunctional companies and the narrative contradictions we’ve already observed.
Not everyone has been calm and focused in their reactions, and I’ve been asked by several people whether or not they should delete their Patreon accounts in response to this news.
In light of both observations, I’d like to take a moment to explain:
- What we actually know, and what the risks are based on that knowledge.
- Why I ultimately chose to delete my Patreon account.
- Alternative platforms that artists and creators may want to migrate onto.
But before that, let me briefly introduce myself to people who aren’t regular readers of my blog. Feel free to skip that section if you don’t care.
Who Are You, Soatok?
I’m a furry blogger who also happens to work as a security engineer for the cryptography team at a large technology company.
You might have seen some of my posts float across technology news sites, occasionally.
I’m also known for making SwiftOnSecurity publicly cringe.
As a result of both my profession and my hobby, I maintain a modernized fork of the open source PHP library for Patreon’s API. My only interest in doing so was to make it easier for artists and technologists to secure their own widgets that integrate with Patreon.
Why Mention Being a Furry?
The website you’re reading is a furry blog before it’s anything else. (And despite what Hacker News users seem to think, being a furry isn’t a kink thing.)
But beyond that, my previous support and use of Patreon was to support furry content creators.
Why Does This Matter?
Through my career (which I try, in almost all circumstances, to keep separate from my hobbies), I’ve been directly responsible for reviving security teams after total staffing shortages before–albeit not as a result of layoffs, so I still had some institutional knowledge (and limited access to the employees with the relevant undocumented muscle memory; who had transferred to other teams in the same company).
Rebuilding from zero without that? Good luck.
What We Actually Know About Patreon Laying Off Their Entire Security Team
- Patreon did actually lay off an entire Security Team
- Ellen Satterwhite, Patreon’s Interim Head of Communications & US Policy Lead, claims this was a result of a “strategic shift” of a portion of their security program
- Ellen also stated that Patreon relies on external organizations to assess their security against industry standards
- Patreon leadership has been public bragging about how little they were financially impacted by the COVID-19 pandemic
That’s all we know, for certain, to be true at this time.
- Patreon has allegedly been cutting security vendors for the past 4 months; which would likely undermine the confidence of their external organizations
- Employees have told reporters that there “was no clear reason for the layoffs and recent performance reviews had gone well” (also in previous link)
Until these allegations are examined further and reinforced with more evidence, as compelling as they might seem, we cannot consider them facts.
- How did this Team fit into the larger Patreon organizational chart?
- Was this entire Security Team also the entire Security Organization, or just a smaller group?
- What was the primary scope of responsibility for the Security Team that got axed by corporate leadership?
- Was the reported termination also part of a larger group of layoffs?
We don’t know the answer to any of these questions at this time.
What Are the Risks, Based on the Above?
Most of InfoSec twitter that has commented on this issue seem to agree that this is a canary warning about a bigger issue.
There is also some speculation in security back-channels that Patreon is in a similar situation to Equifax’s in 2017, but that remains to be seen.
More pressingly, a lot of people have expressed concern over the security of payment and/or payment card information.
I can sympathize where people are coming from, but there’s little reason for alarm on this specific point.
- Patreon outsources most of their risk to Stripe and PayPal. They don’t process payments themselves.
- Even if the limited access Patreon has to your financial accounts is leveraged by an attacker, there’s sufficient audit trails to reverse any unauthorized transactions.
Our financial systems are designed to tolerate an optimally non-zero amount of fraud. Even if we assume that firing an entire Security Team would result in an overall reduction in security for Patreon, your risk calculus shouldn’t change much.
Risk: Supporter Deanonymization
Attackers would, generally speaking, be far more interested in the blackmail potential for subscriber information. After all, a lot of Patreon pledges go to support NSFW and kink content creators.
While there’s nothing wrong with kink, sexuality, pornography, or sex work, many people aren’t in a position to comfortably and shamelessly live their best lives.
This means threatening to reveal their Patreon pledges to their family, local community, or employer may be sufficient to extort a few cyberbucks out of them. Why even bother with ransomware at that point?
Risk: Foolish Leadership
As stated above, firing an entire Security Team means removing any possibility of retaining critical institutional knowledge and muscle memory necessary for operational and security excellence within the scope of that Team’s responsibility.
In plain terms: This is a boneheaded business decision on the best of days.
While it’s possible that there are other factors at play that resulted in this decision being the least bad outcome for the company, none of those factors are good to begin with.
In the coming months, I’d encourage Patreon users to at least pay careful attention to any news stories about security breaches or ill-advised mergers/acquisitions that pre-date September 8, 2022.
Why I Deleted My Patreon Account
This was not a knee-jerk reaction. Rather, it was a deliberate and calculated decision in response to new information.
However, my primary motivation is a bit tricky to articulate, so bear with me for a minute.
The most valuable currency of any long-term business is trust.
Trust is easy to lose and hard to earn. The primary way companies can earn trust is through transparency, consistency, and fairness.
- If you lack transparency, you will always look like you’re hiding something.
- If you lack consistency, people won’t know what to expect, and will default to caution.
- If you lack fairness, people will develop a negative opinion of you, which means they will never trust you; even if only out of spite.
There’s definitely more to trust than that, but these are essential elements.
Firing an entire Security Team without warning undermines my ability to trust Patreon. This fails all three components I outlined above.
- Transparency: It was reportedly unclear to the employees why this happened
- Consistency: This isn’t typical behavior for Patreon
- Fairness: Laying off an entire Security Team is difficult to justify (and none was given, so…)
My other motivation is solidarity with the laid-off employees.
I cannot, in good conscience, financially support a company that treats their security teams this way.
I’m personally less concerned about my financial information (which was scoped down to “granted revocable permission to my PayPal account”) or the risk of blackmail attempts (anyone who doesn’t know I’m a furry is generally someone whose opinion I won’t lose sleep over souring if they find out).
However, my risks are not your risks. If you’re likely impacted by either outcome, adjust accordingly.
How Can We Still Support Creators Without Patreon?
Ultimately, the onus will be on the creator to accept recurring donations from more platforms in order to continue your support.
For the furry fandom, at least, most of us already have a Ko-fi account. Did you know Ko-fi has a monthly subscription feature too?
Update: As one comment points out, Ko-fi’s Terms of Service pretty explicitly bans NSFW content. I thought this was worth a revision to emphasize this point.
There are also several listicles of Patreon alternatives floating around the Internet. I don’t have any strong opinions on most of them.
Should You Delete Your Patreon Account?
That’s entirely up to you. I’m not your boss.
If you do decide that Patreon is risky or untrustworthy for their poor decisions, you may want to delete your Patreon account.
However, it’s also okay if you decide differently than I did.
Why Might Someone Not Want to Delete Their Patreon Account?
Migrations are difficult.
If most of your supporters (or, conversely, artists you want to support) use Patreon as their only platform, asking them to create an account on a new platform just for them is a tall order.
Additionally, there’s a risk of being “double charged” (once from Patreon, once from the Alternative) during the month of migration, which isn’t fair to the supporter.
You might try to mitigate the risk of a double charge by delaying the onboarding until the next monthly cycle begins, but that’s a good way for most supporters to slip through the cracks.
People forget, people get busy. The more cognitive load you place upon people, the worse the outcome.
There’s no shame in choosing to not make this difficult and painful migration. Patreon certainly has the Network Effect going for them, and swimming upstream is always difficult.
Not deleting your Patreon account is valid too.
How Can I Delete My Patreon Account?
If you do decide that you want to delete your account:
- Cancel your memberships
- Feel free to link to this blog post in the “reason” field
- Remove your payment information
- (For creators): Unpublish your Patreon page
- Make a privacy request for account deletion
It’s not completely straightforward, but it’s tractible.
This blog post, like literally everything else published on this blog, is the sole opinion of a computer nerd that presents as a talking blue cartoon canid on the Internet.
I do not represent any company (especially my employer) in any capacity.
I hope by tackling this topic with balance and nuance, everyone is able to calmly make the best decision for themselves and their personal risk profile.