Patreon lays off entire security team, WTF?

[IceBoneBadger]

Summary

 It appears that Patreon has laid off their security team. A tweet from Whitney Merrill referenced a post on LinkedIn from one of Patreon's now former employees who says they're looking for work.

 

Quotes

Quote

So for better or worse, I and the rest of the Patreon Security Team are no longer with the company. As a result I'm looking for a new Security or Privacy Engineering role and would appreciate any connections, advice, or job opportunities from folks in my network. #OpenToWork

 

My thoughts

I support a few creators through Patreon, so they have my credit card info. That credit card which has not had a single problem for over 20 years suddenly had to be replaced due to fraudulent charges not once, but twice within the past 2 months. This might be a coincidence, but I'm curious if anyone else that uses Patreon has also had recent fraud problems on their payment methods. I want to keep supporting the creators I like, but I think I'll need something other than Patreon going forward. Any alternatives people like besides direct through PayPal?

 

Sources

https://www.webpronews.com/patreon-just-let-its-entire-security-team-go/

[TetraSky]

Well, I can think of various reasons why a company would lay off an entire department... But getting rid of your entire security department is usually not the smartest move for a tech company that handles customer payment data. Unless they are offloading that to a third party and not actually handling any of it themselves.

[Takumidesh]

15 minutes ago, TetraSky said:

Well, I can think of various reasons why a company would lay off an entire department... But getting rid of your entire security department is usually not the smartest move for a tech company that handles customer payment data. Unless they are offloading that to a third party and not actually handling any of it themselves.

I wonder if they laid off the entire team because of some potential fraud within the team that they cannot isolate.

 

Not saying its the right way to do it, but it is possible something was so rampant or heinous that they had to go nuclear.

[CTR640]

Patreon should've never been founded.

[GoodBytes]

It's because one of the company executives went and said: "Why do we have all these security experts, we never got compromised! It's a waste of money! Hmm our computer infrastructure is also working great! Why do we have an IT team?... maybe next quarter we will get rid of them!"

 

Then adds:

"Anyhow! Look how much monies I saved the company! Bonus, here I come!!! Then, I'll put it on resume, look for another job and rinse and repeat before shit hits the fan, which I always hear about after I leave... guess I am THAT good, and no one can replace me, yea! That must be it! I am so awesome!"

[AlTech]

4 hours ago, TetraSky said:

Well, I can think of various reasons why a company would lay off an entire department... But getting rid of your entire security department is usually not the smartest move for a tech company that handles customer payment data. Unless they are offloading that to a third party and not actually handling any of it themselves.

I believe the CEO decided not too long ago to try to outsource more of the roles within Patreon. Could be wrong though.

[wanderingfool2]

3 hours ago, GoodBytes said:

It's because one of the company executives went and said: "Why do we have all these security experts, he never got compromised! It's a waste of money! Hmm our computer infrastructure is also working great! Why are we having an IT team?... maybe next quarter we will get rid of them!"

 

Then adds:

"Anyhow! Look how much moneis I saved the company! Bonus, here I come!!! Then, I'll put it on resume, look for another job and rinse and repeat before shit hits the fan, which I always hear about after I leave... guess I am THAT good, and no one can replace me, yea! That must be it! I am so awesome!"

Sadly this actually happens, and it's crazy that it happens so often...or they create more subtle ways of making the security team fail (underfunding for necessary hardware/software changes)...and then blame those people if an incident happens

 

Looks like in this case it's 5 employees who got fired here, so I'm wondering if there might have been an audit or something that didn't look good in terms of the security of their system.

[LAwLz]

1 hour ago, AluminiumTech said:

I believe the CEO decided not too long ago to try to outsource more of the roles within Patreon. Could be wrong though.

Nope, you are right.

They are getting rid of their security group and are instead going to bring in external organisations to handle security related tasks.

"Patreon outsources some jobs" is not as sexy of a title as "Patreon no longer has a security team!?" though.

 

 

It is also worth mentioning that their security team seems like it had some issues. Their (former) head of security was just temporary, and I couldn't find anyone who used to be the head of security. It might be a case of the security team being disorganized/mismanaged so bringing in one or more external firms was the easiest way of handling things. If Patreon is preparing for an IPO, it would look quite bad for them to say "yeah, we don't really have a head of security...". Their former security team does not seem to have any experience when it comes to preparing an company for an IPO either.

 

 

My guess is that Patreon decided to get rid of their security team because it wasn't really working. Instead, they will bring in an external firm that is experienced with handling IPO-cases, and they also get a set of new eyes to look over their platform.

This not only ensures that the IPO-related due diligence is taken care of by people experienced with it, it also illustrates that the company is prepared to make structural changes that are suitable for a public company.

 

 

External security firms are typically not cheap (at least not good ones), so I have my doubts that this is a cost cutting measurement. Having external security firms will probably end up costing more than having a couple of people doing it in-house in the long run.

[Kisai]

7 hours ago, IceBoneBadger said:

Summary

 It appears that Patreon has laid off their security team. A tweet from Whitney Merrill referenced a post on LinkedIn from one of Patreon's now former employees who says they're looking for work.

 

Quotes

 

My thoughts

I support a few creators through Patreon, so they have my credit card info. That credit card which has not had a single problem for over 20 years suddenly had to be replaced due to fraudulent charges not once, but twice within the past 2 months. This might be a coincidence, but I'm curious if anyone else that uses Patreon has also had recent fraud problems on their payment methods. I want to keep supporting the creators I like, but I think I'll need something other than Patreon going forward. Any alternatives people like besides direct through PayPal?

 

Sources

https://www.webpronews.com/patreon-just-let-its-entire-security-team-go/

Nope. My patreon payments have been fine.

 

Paypal, is worse, the absolute worst for supporting creators. They're all too happy to take VISA's garbage censorship rules and double down on it.

 

Every creator. globally, who does anything even remotely adult, has to find a payment provider outside the US.  The problem is so dire now that streamers are told they can't cosplay, and comic artists can't draw erotica with anything but vanilla humans in it. Or do people think the OnlyFans thing was a one-off?

 

Patreon gets away with what it can, but it's under the gun to kick off any NSFW content if it's advertised as such. Paypal has been doing that for well over a decade.

 

But as for why this security team is being let go, I'd guess is more mundane and Patreon just outsourced them.

[wamred]

Oof, now for the hackers to come running in. I would love to see the reason why they did this.

[Ultraforce]

https://www.businessinsider.com/patreon-layoffs-5-employees-security-strategic-shift-creator-economy-2022-9

 

I'm not sure if all of their security team was subject to layoffs. Businessinsider had an interview where it stated that 5 employees from the security team were layed off as a shift in the security program as part of a pivoting to parntering with external organizations to meet industry standards and work globally. I don't have a business insider account so I can't read the whole intervieww or article.

[wanderingfool2]

9 hours ago, LAwLz said:

External security firms are typically not cheap (at least not good ones), so I have my doubts that this is a cost cutting measurement. Having external security firms will probably end up costing more than having a couple of people doing it in-house in the long run.

While that is true, if lets say they are trying to do PCI compliance and the teams aren't allowing them to effectively transition to that.  I know for a fact that some industries get terrible credit card rates unless you can pull off a PCI compliance, and the amount of work that is involved in doing so can be brutal...unless you lets say outsource it to a 3rd party that takes on the risk of it.  Just a speculation, but given how much lower amount of money flows per transaction it wouldn't surprise me if it was a way to cut the fees that the payment processors are taking.

[Jito463]

Eh, I only have one person I supported on Patreon, and I've been planning to move to his Locals anyway, so I guess this is as good a time as any.

[dogwitch]

so i went into my local bank this week. more then 1 person of different ages and such. had there accounts comprised.

there been a massive up take on this.

this year. hell even i had it happen and i silo all my accounts and credit cards.... am still dealing with the fall out.

oddly i became aware of getting hack due to amazon of all places.

hacker thought i list a item and make money . before no one notices.

dumbass listed something i never sold. instant red flag.

[Middcore]

1 hour ago, dogwitch said:

so i went into my local bank this week. more then 1 person of different ages and such. had there accounts comprised.

there been a massive up take on this.

this year. hell even i had it happen and i silo all my accounts and credit cards.... am still dealing with the fall out.

oddly i became aware of getting hack due to amazon of all places.

hacker thought i list a item and make money . before no one notices.

dumbass listed something i never sold. instant red flag.

 

 

Anecdotally your bank told you "hide yo kids, hide yo wife, cause they're hacking errybody out there", and apparently your Amazon account got compromised, and this is relevant to the thread topic because... ?

[dogwitch]

6 minutes ago, Middcore said:

 

 

Anecdotally your bank told you "hide yo kids, hide yo wife, cause they're hacking errybody out there", and apparently your Amazon account got compromised, and this is relevant to the thread topic because... ?

i been a seeing a uptick of security issues in pass 2 months.

nov/dec of this year going to be a mess with fraud charges etc in the usa.

 

[Taf the Ghost]

7 hours ago, dogwitch said:

i been a seeing a uptick of security issues in pass 2 months.

nov/dec of this year going to be a mess with fraud charges etc in the usa.

 

Some major retailer got hit recently. Not sure who yet. One of our cards got dinged (we caught the first trial charge), and the card basically has no online presence. I'm waiting for that one to drop. Going to be really messy when it does.

[StDragon]

18 hours ago, dogwitch said:

so i went into my local bank this week. more then 1 person of different ages and such. had there accounts comprised.

there been a massive up take on this.

Virtual credit card numbers needs to be a thing. Consumer, merchant, and banks would all benefit if there's a dedicated number paired between the consumer and merchant. It would reduce the scope of having a compromised account while being able to trace where it got compromised. At that point, the banks could cut the merchant off until it undergoes a security assessment and remediation.

 

Fraud is a major cost to all involved. Such a system needs to be standardized.

[dogwitch]

16 hours ago, Taf the Ghost said:

Some major retailer got hit recently. Not sure who yet. One of our cards got dinged (we caught the first trial charge), and the card basically has no online presence. I'm waiting for that one to drop. Going to be really messy when it does.

i been hearing some talk about it.

 

[Jito463]

7 hours ago, StDragon said:

Virtual credit card numbers needs to be a thing.

They already are.  They're not very widespread, and often it involves using a third party, but it does exist.  Unless you meant that it needs to become more common.

[StDragon]

13 minutes ago, Jito463 said:

They already are.  They're not very widespread, and often it involves using a third party, but it does exist.  Unless you meant that it needs to become more common.

It needs to both more common and of an industry standard. I've personally been a victim of CC theft from having my account number stored at a merchant site (automated monthly bill payment) only for the account (unpatched server or in general poor security on the backend) to get hacked and later my CC number compromised. Of course, that was after the fact and it was too late.

 

Had I paired with a virtual number for automated bill payment, I could have cycled a new number or canceled the account depending on the nature and remediation of the cyber intrusion.

[Taf the Ghost]

6 hours ago, dogwitch said:

i been hearing some talk about it.

 

They signed the card up for a legitimate online service, not some dummy charge yet. So it was a clear probe/DB check. It might be an online site and its just taken a while, but none of the few that were used on that card has cropped up for being compromised. So it's either some major Retailer (that's mostly what the card is used for) or one of a few clothing/homegoods online stores. Either way, all of them big.

 

It's entirely possible that it's from a far older data breech and they were just testing the card and that's why they tested the card. We'll see.