No data breach at Patreon, but proactive notice caused some concern

Patreon, the membership platform that helps creators get paid for their work, sent users a letter on Monday warning them about a data breach at Typeform.

Patreon uses Typeform for user surveys, and on June 27, Typeform announced a data breach that impacts thousands of people. Being proactive, Patreon wanted to alert their users, but the wording of the letter led to some confusion.

The Patreon letter recaps the Typeform data breach, and then informs the recipient that “as a result, we are reaching out to you as the data that was potentially impacted includes your [name and email address].”

Their hearts were in the right place, but the wording of Patreon’s notice is a bit frightening.

At a glance, it looks as if Patreon is alerting the person reading their letter that their name and email address was compromised by the Typeform breach.

However, that isn’t the case. There was no breach at Patreon.

Reached by phone, a spokesperson for Patreon told Salted Hash that the notice was purely proactive.

In an emailed statement, the spokesperson said that after the Typeform breach was made public, “we wanted to let the potentially impacted people [know] what information of theirs (name, email) might have been compromised.”

When they announced the data breach last week, Typeform said that those impacted would receive a letter directly, and that those affected “should check their email for specific information.” Typeform also suggested language to use for organizations that needed to alert their customers (called audience by Typeform) of the breach.

“If you didn’t get an email, you weren’t affected,” the Typeform breach notice states.

As mentioned, the Typeform data breach impacted thousands of people.

An upmarket department store in Piccadilly, London – Fortnum & Mason – said that 23,000 customers were affected by the Typeform breach, which was sourced to an exposed partial backup dated May 3, 2018.

“On June 27, 2018, our engineering team became aware that an unknown third party gained access to our server and downloaded certain information. As a result of this breach, some data was compromised. We responded immediately and fixed the source of the breach to prevent any further intrusion,” the Typeform breach notice explains.

The Electoral Commission for State of Tasmania was also impacted by the Typeform breach, according to a warning issued to voters.

Moreover, Monzo, the digital, mobile-only bank based in the UK was also impacted. In a blog post, the bank says that more than 19,000 customers were impacted, and that they’re ending their relationship with Typeform as a result of the incident.

While it caused a bit of a panic, the proactive notice from Patreon is a good thing, and something organizations should start doing more frequently.

In this case, as pointed out by @BCrowe72 on Twitter, it’s better to know the potential impact of a breach (and have it turn out to be nothing, as was the case with the Patreon letter), rather than face silence and learn about the impact long after the fact.