Last night, the Internet learned that Patreon fired their entire security team, abruptly.
We also learned that the primary motivation was outsourcing.
People digging into this story have also reported that Patreon has also been cutting their security vendors for months and there was no clear motivation for the layoffs.
InfoSec Twitter’s response to this news was overall measured and appropriate given past experience with dysfunctional companies and the narrative contradictions we’ve already observed.
Not everyone has been calm and focused in their reactions, and I’ve been asked by several people whether or not they should delete their Patreon accounts in response to this news.
In light of both observations, I’d like to take a moment to explain:
But before that, let me briefly introduce myself to people who aren’t regular readers of my blog. Feel free to skip that section if you don’t care.
I’m a furry blogger who also happens to work as a security engineer for the cryptography team at a large technology company.
You might have seen some of my posts float across technology news sites, occasionally.
I’m also known for making SwiftOnSecurity publicly cringe.
As a result of both my profession and my hobby, I maintain a modernized fork of the open source PHP library for Patreon’s API. My only interest in doing so was to make it easier for artists and technologists to secure their own widgets that integrate with Patreon.
The website you’re reading is a furry blog before it’s anything else. (And despite what Hacker News users seem to think, being a furry isn’t a kink thing.)
But beyond that, my previous support and use of Patreon was to support furry content creators.
Through my career (which I try, in almost all circumstances, to keep separate from my hobbies), I’ve been directly responsible for reviving security teams after total staffing shortages before–albeit not as a result of layoffs, so I still had some institutional knowledge (and limited access to the employees with the relevant undocumented muscle memory; who had transferred to other teams in the same company).
Rebuilding from zero without that? Good luck.
The Facts:
That’s all we know, for certain, to be true at this time.
Allegations:
Until these allegations are examined further and reinforced with more evidence, as compelling as they might seem, we cannot consider them facts.
Unknowns:
We don’t know the answer to any of these questions at this time.
Most of InfoSec twitter that has commented on this issue seem to agree that this is a canary warning about a bigger issue.
There is also some speculation in security back-channels that Patreon is in a similar situation to Equifax’s in 2017, but that remains to be seen.
More pressingly, a lot of people have expressed concern over the security of payment and/or payment card information.
I can sympathize where people are coming from, but there’s little reason for alarm on this specific point.
Our financial systems are designed to tolerate an optimally non-zero amount of fraud. Even if we assume that firing an entire Security Team would result in an overall reduction in security for Patreon, your risk calculus shouldn’t change much.
Attackers would, generally speaking, be far more interested in the blackmail potential for subscriber information. After all, a lot of Patreon pledges go to support NSFW and kink content creators.
While there’s nothing wrong with kink, sexuality, pornography, or sex work, many people aren’t in a position to comfortably and shamelessly live their best lives.
This means threatening to reveal their Patreon pledges to their family, local community, or employer may be sufficient to extort a few cyberbucks out of them. Why even bother with ransomware at that point?
As stated above, firing an entire Security Team means removing any possibility of retaining critical institutional knowledge and muscle memory necessary for operational and security excellence within the scope of that Team’s responsibility.
In plain terms: This is a boneheaded business decision on the best of days.
While it’s possible that there are other factors at play that resulted in this decision being the least bad outcome for the company, none of those factors are good to begin with.
In the coming months, I’d encourage Patreon users to at least pay careful attention to any news stories about security breaches or ill-advised mergers/acquisitions that pre-date September 8, 2022.
This was not a knee-jerk reaction. Rather, it was a deliberate and calculated decision in response to new information.
However, my primary motivation is a bit tricky to articulate, so bear with me for a minute.
The most valuable currency of any long-term business is trust.
Trust is easy to lose and hard to earn. The primary way companies can earn trust is through transparency, consistency, and fairness.
There’s definitely more to trust than that, but these are essential elements.
Firing an entire Security Team without warning undermines my ability to trust Patreon. This fails all three components I outlined above.
My other motivation is solidarity with the laid-off employees.
I cannot, in good conscience, financially support a company that treats their security teams this way.
I’m personally less concerned about my financial information (which was scoped down to “granted revocable permission to my PayPal account”) or the risk of blackmail attempts (anyone who doesn’t know I’m a furry is generally someone whose opinion I won’t lose sleep over souring if they find out).
However, my risks are not your risks. If you’re likely impacted by either outcome, adjust accordingly.
Ultimately, the onus will be on the creator to accept recurring donations from more platforms in order to continue your support.
For the furry fandom, at least, most of us already have a Ko-fi account. Did you know Ko-fi has a monthly subscription feature too?
Update: As one comment points out, Ko-fi’s Terms of Service pretty explicitly bans NSFW content. I thought this was worth a revision to emphasize this point.
One Patreon alternative I’ve seen used a lot is SubscribeStar (which has a separate system for NSFW content).
There are also several listicles of Patreon alternatives floating around the Internet. I don’t have any strong opinions on most of them.
That’s entirely up to you. I’m not your boss.
If you do decide that Patreon is risky or untrustworthy for their poor decisions, you may want to delete your Patreon account.
However, it’s also okay if you decide differently than I did.
Migrations are difficult.
If most of your supporters (or, conversely, artists you want to support) use Patreon as their only platform, asking them to create an account on a new platform just for them is a tall order.
Additionally, there’s a risk of being “double charged” (once from Patreon, once from the Alternative) during the month of migration, which isn’t fair to the supporter.
You might try to mitigate the risk of a double charge by delaying the onboarding until the next monthly cycle begins, but that’s a good way for most supporters to slip through the cracks.
People forget, people get busy. The more cognitive load you place upon people, the worse the outcome.
There’s no shame in choosing to not make this difficult and painful migration. Patreon certainly has the Network Effect going for them, and swimming upstream is always difficult.
Not deleting your Patreon account is valid too.
If you do decide that you want to delete your account:
It’s not completely straightforward, but it’s tractible.
This blog post, like literally everything else published on this blog, is the sole opinion of a computer nerd that presents as a talking blue cartoon canid on the Internet.
I do not represent any company (especially my employer) in any capacity.
I hope by tackling this topic with balance and nuance, everyone is able to calmly make the best decision for themselves and their personal risk profile.