Gumroad and Patreon Using a platform such can help you earn money as a content creator. However, you should be aware of the risks involved. For example, taxes on content creators can affect your revenue.
Gumroad Ceo Patreon Substackkonstantinovic The Business
The founder of gumroad, Sahil Lavingia has been helping creators sell their products online for a few years. Before Gumroad, he worked for Pinterest. While at Pinterest, he helped develop the iPhone app for the site. In 2011, Sahil left Pinterest to start his own company, Gumroad.
The most important thing to know about Gumroad is that it can be used to sell 95 percent of digital goods. This includes ebooks, digital downloads, and physical goods such as T-shirts. The site also has a robust suite of tools to help creators sell their wares. The site also has a robust VC fund, and legal, accounting, and software engineers.
Sahil has made it his business to give his employees the tools to help them succeed. He encourages his team to try new things, work on side projects, and create products that will help Gumroad. In fact, Gumroad now offers memberships to its creators. This will allow them to sell their wares to a larger audience.
Tag: Gumroad Ceo Patreon Substackkonstantinovic The Business…
Sahil also made the company’s most valuable asset a priority. He knew he would need some capital to get the company off the ground. This led to a few key decisions. One of the first was to cut a large chunk of staff from the original 20. Another was to sell the company’s vision to investors first.
The company also eschewed conventional venture-backed metrics of success. Gumroad recommends an organic approach to marketing and advertising and offers a number of ways for creators to sell their wares to an audience. For example, the site lets users create landing pages, offer codes, and analyze sales. Gumroad also offers a number of ways for creators and fans to interact with each other. It also provides flexible hours, so people can work from home.
Although Gumroad has seen its share of struggles, it’s still worth a look. The company offers a simple promise, and its philosophical approach to business will pay off in the long run. It also has an impressive product. Hopefully, the company’s vision will be realized in the future. The creators of tomorrow will benefit from Gumroad’s thoughtful approach to business.
App store taxes affect content creators
Almost every in-app purchase for iOS apps is taxed by Apple. This is referred to as the “Apple Tax,” and it affects content creators.
Apple has been under fire lately over its 30% cut of the revenue. Critics accuse the company of monopolizing the app store business, but the tech giant denies that accusation. They cite the fact that other app stores charge the same commission.
Apple has responded by launching a small business program that will reduce the Apple App Store cut for developers earning less than $1 million per year to 15%. The program is scheduled to roll out in November. However, the company has yet to reveal the exact details of the program.
Apple has also imposed a new tax on its app store users. This tax applies to the commissions developers pay for paid downloads, subscriptions, and in-app purchases. It also applies to in-app tipping. In-app tipping is where users donate to apps or content creators. This can be done by virtual currency or by paying through an in-app purchase.
In-app purchasing is an important part of the App Store’s business model. Most apps get their revenue from in-app purchases. It’s a major part of Apple’s second-largest revenue stream. In the first quarter of 2019, Apple reported $13.3 billion in Services revenue. However, it also reported a slowdown in iPhone sales.
Apple and Google deny that they are monopolizing the app market. They argue that they charge the fees to help secure the app store and to provide developers with tools and training.
Some of the top apps are betting that users will find other ways to pay for content. One option is to set up digital tip jars for users to donate to content creators. Another option is to refocus on the user experience. Apps that do not qualify for an exemption should get creative.
Apple’s updated App Store policies also designate voluntary tipping via virtual currency as an in-app purchase. It also requires developers to notify their customers about alternate payment methods.
Apple and Google are also targets of a number of attacks on multiple fronts. The company has targeted influential Chinese internet celebrities.
Diversifying your investments to mitigate risk
Investing in several different sectors or assets can help mitigate risk and increase the overall return of your portfolio. Diversification can be a good approach for anyone, regardless of the size of their portfolio or their risk profile.
Diversification means allocating your capital across several different asset types and industries. It can be a simple task, such as buying a broad market index, or more complex, such as choosing stocks from different sectors. The main goal of diversification is to spread out the risk across your portfolio.
Historically, different asset classes have behaved differently in different market conditions. For example, stocks tend to do well when interest rates are high, while bonds tend to do well when interest rates are low. However, this does not mean that they perform similarly at all times.
Having a diversified portfolio can also help mitigate the risk associated with market events, such as a pandemic, like COVID-19. In this case, a portfolio with a variety of stocks, sectors, and industries would have been less likely to experience losses.
Diversification is also important for older investors, as well as retirees. If you have a high-volatility portfolio, diversification is even more important. This is because the value of a portfolio can be negatively impacted when one investment falls in price. Diversifying your investments can also help to balance your portfolio’s loss when some investments do poorly.
Investing in several different assets is the best way to avoid the risk of a single investment performing poorly. In addition, it’s important to diversify your investments outside of your industry. This can be done by diversifying in foreign stocks, commodities, and alternative assets. These asset classes can be difficult to find and are not regulated by the Securities and Exchange Commission.
Diversification can be achieved by using an asset allocation fund. These funds include stocks that mirror a specific index. You can also invest in individual stocks, but doing so requires a large investment. If you can’t afford the trading fees, an index fund is a good alternative.
Diversification can help you to mitigate risk, but it cannot eliminate all risks. It is best to diversify when you have time to monitor your portfolio and make changes when the risk level is out of line with your financial goals.
Products that sell the most
Those interested in selling digital products online may want to check out Gumroad. This platform is designed to help creative people sell their work online. Whether they want to sell a book, a video, or a course, Gumroad is a convenient solution.
Gumroad’s founder, Sahil Lavingia, left Pinterest in 2011 to start a company that would allow creators to sell their work. He saw a growing market for selling work, and he believed that a platform like Gumroad would help to fill it.
A platform is a free tool that enables creators to sell digital products. Gumroad also allows for physical goods, like T-shirts. Gumroad also offers payment processing and file hosting. You can list as many products as you want. You can sell a one-time sale, or you can set up a membership service.
The platform also allows you to set up an affiliate program. You can create a code that your affiliates can use to sell your products. The platform will then take 5% of each sale plus 25 cents. Having an affiliate program is important to making money on Gumroad.
You can also create a membership service on Gumroad. Memberships are a recurring source of revenue for many creators. The platform has recently expanded its subscription features. It now allows you to create memberships that allow customers to pay you for pre-orders or monthly subscriptions.
The platform allows you to customize your product pages and your content, which will be available to members. You can include your product description and upload photos and videos to your product pages. You can even embed a subscription signup page. You can also offer discounts, offer codes, and license keys.
Some other competitors include Teachable, Substack, and Ko-Fi. These platforms are similar to Gumroad, but they have slightly different features.
Gumroad Ceo Patreon Substackkonstantinovic On How To Succeed In Your Own First 10 Years
This article lists 10 tips that the Gumroad CEO, Sahil Lavingia, used to see the company’s success. In it, he shares insights on how to grow your career and do what you love–namely staying hungry, defining “tough choices”, and rising to meet challenges.
- Have A Revenue Goal
As the CEO of Gumroad, Sahil Lavingia knows a thing or two about what it takes to be successful in your first years. In a recent blog post, he shared some of his best advice for those starting out.
One of the most important pieces of advice he had was to make sure you have a revenue goal. It’s not enough to just have a goal for your business; you need to know how much money you want to bring in.
Think about what you need to live on and then set a realistic goal for your first year. This will help you stay focused and motivated as you work towards success.
- Start Growing Early
In order to set yourself up for success in your early years, it is important to start growing early on. This means taking the time to develop a clear and concise business plan, as well as working on building a strong team of individuals who can help you achieve your goals. Additionally, it is crucial to focus on creating a positive company culture from the start – this will attract top talent and help retain employees in the long run. Finally, don’t be afraid to invest in marketing and PR – getting your name out there is an essential part of growing a successful business.
- Get Feedback From Your Users
If you’re running your own business, it’s important to get feedback from your users in order to improve your products or services. Here are some tips from Gumroad’s CEO on how to do just that: Make it easy for users to give feedback.
Make sure there’s a simple way for users to provide feedback, whether it’s through an online form, email, or even a phone number. The easier it is for them, the more likely they are to actually take the time to do it.
Ask specific questions.
Don’t just ask “how was your experience?” but rather drill down and ask specific questions about what they liked and didn’t like. This will give you more actionable information that you can use to improve your business.
Follow up with users who leave feedback.
Whether it’s positive or negative, follow up with the user who left the feedback to thank them for their time and let them know what actions you’re taking as a result of their input. This shows that you’re taking their feedback seriously and value their input.
Spread Your Risk Across Multiple Industries
As an entrepreneur, it’s important to remember that you can’t put all your eggs in one basket. Diversifying your portfolio across multiple industries is a smart way to mitigate risk and ensure that your business can weather any storm.
Of course, this doesn’t mean that you should invest in every industry under the sun. Instead, take the time to research different sectors and look for opportunities where you think you can make a real impact.
Once you’ve identified a few potential industries, it’s time to start spreading your risk. One way to do this is by investing in multiple companies within each sector. This will give you a better chance of seeing success even if one particular industry takes a hit.
Another approach is to invest in different types of businesses within each industry. For example, if you’re interested in the healthcare sector, you could invest in both medical technology companies and pharmaceuticals firms.
No matter which strategy you choose, remember that diversity is key when it comes to mitigating risk. By spreading your investments across multiple industries, you’ll be positioning yourself for long-term success.
Staking Your Claim To A Niche Spaces Is Important
As Gumroad’s CEO, Sahil Lavingia, knows a thing or two about building a successful business from the ground up. In a recent interview, he offered some helpful tips for anyone hoping to do the same in their own first years. Among them was the importance of staking your claim to a niche space.
“If you’re starting a business today, it’s more important than ever to have a very clear focus,” Lavingia said. “There are so many options and distractions out there that it’s easy to get pulled in different directions. But if you can stay focused on your niche, it’ll be much easier to find success.”
It can be tempting to try and be everything to everyone, but as Lavingia points out, that’s rarely a recipe for success. It’s much better to focus on serving a specific group of people with an offering that meets their needs in a unique way. When you’re able to do that, you’ll not only stand out from the competition, but you’ll also be far more likely to build a sustainable and successful business.
Create Something Scarce
As Gumroad’s CEO, Sahil Lavingia knows a thing or two about building a successful business. In this blog article, he shares his top tips for anyone starting out in their own business. One key piece of advice is to create something scarce.
When you’re first starting out, it’s easy to feel like you need to be everywhere and do everything. But the truth is, you can’t be everything to everyone. You need to focus your attention on creating something unique and special that people can’t find anywhere else.
Think about what it is that makes your business different from all the others out there. What can you offer that no one else can? Once you’ve identified your unique selling point, make sure it’s prominently featured on your website and in all your marketing materials.
If you can create something truly scarce, you’ll have a much better chance of attracting attention and succeeding in your first years in business.
Rarely Compete For The Same Customers
If you’re starting a business, it’s important to remember that you won’t always be competing for the same customers. In fact, it’s quite rare for two businesses to be in direct competition with each other.
There are a few reasons for this:
- There are always different niches within any market. Even if two businesses appear to be selling the same thing, there will always be some subtle (or not so subtle) difference that makes each business appealing to different types of customers.
- Customers rarely make purchasing decisions based solely on price. Sure, price is always a factor, but it’s rarely the only factor. More often than not, customers will choose the business that offers the best combination of price, quality, and service.
3. Even if two businesses are in direct competition with each other, they seldom have an identical customer base. This is because every customer is unique and has their own individual needs and wants. As a result, even if two businesses are selling the exact same product or service, they’ll still appeal to different types of customers.
So if you’re just starting out, don’t worry too much about competition. Remember that there’s always room for another player in any marketplace – as long as you’re offering something slightly different than what’s already out there
Know Who Your Competition Is
Your competition is anyone who is offering a product or service that is similar to yours. This means that you need to research your industry and find out who your target market is. Once you know who your target market is, you can start to identify your competition.
There are a few different ways that you can research your competition. One way is to search online for industry-specific forums and see who is talking about your topic. Another way is to attend industry events and meet people in person. You can also read trade publications to learn more about your industry.
Once you have identified your competition, you need to take some time to research their businesses. Find out what they are doing well and what they could improve upon. This information will help you create a marketing plan that will make your business stand out from the crowd.
Gumroad CEO Danny Konstantinovic
Getting the right CEO to run your business is a crucial step for your company. With the right CEO, you will have a much easier time attracting the right investors, diversifying your revenue streams, and maintaining a positive company culture.
Among the many companies in the digital product sales space, Gumroad has a unique story and a unique vision for the future. This week, we had a chance to speak with CEO Danny Konstantinovic about the company’s origins, the products it’s rolled out, and what’s next. Among the many perks, Gumroad allows creators to work on their own schedule. If you’re lucky enough to find a day free from the office rat race, you can take your work to the next level by putting it up for sale on the open market.
For a company that’s only been around for about a decade, Gumroad’s product list is a pretty impressive one. Aside from digital product sales, Gumroad provides creators with tools to help them build an audience and monetize their work. Among its more noteworthy offerings is the Winner Pulse, a product that allows creators to test out their product’s performance on various online shopping platforms. Gumroad’s business model also boasts a model that allows creators to sell work to their favorite fans and friends.
We also got the chance to ask about Substack, a recent addition to the Gumroad family. The product’s sexiest mascot is a male cat who likes to cuddle. This isn’t a bad thing, as it can help creators connect with their fans on a much more intimate level. Lastly, we had the chance to talk about the company’s ten years in the making. We were able to discuss the company’s recent changes, the pitfalls of being a startup, and where it’s going next. With a slew of high-profile investors, a storied tech lineup, and an enthusiastic community, it’s no wonder that Gumroad is on its way to becoming a household name. If the company can keep its promise to its users, the future is a bright one indeed.
Diversification of revenue streams
Creating multiple revenue streams is a smart move for any business. Not only can it help to mitigate risk, it can also help to increase the value of your company. With multiple revenue streams, you are able to capitalize on different markets and increase visibility. These revenues can come from various sources, including recurring revenue, transactional revenue, and licensing.
Aside from providing a platform for generating revenue, Gumroad has also helped to make it easier for users to sell their wares. This includes tools such as Facebook sharing buttons and Twitter widgets. The site also offers code to help users embed products on their websites.
While Gumroad may not be the first website you’ll think of when you need to sell your products, it has helped to create over 50 million dollars in revenue for its creators. And you can even get paid through PayPal.
For example, Gumroad lets you sell a digital product at a fixed price, a subscription price, or for free. Gumroad also lets you offer personalized buttons and widgets. Gumroad also allows you to set a minimum price for your product and gives you access to a range of financial processing options.
The site also has a few other features, such as a free e-book download feature, a widget to embed a product on your website, and code to embed your products on social media sites. Gumroad also offers a few perks you don’t see in other sites. For example, you can use their API to create a custom-price shopper for your Gumroad store. This will allow you to track your customers’ interests and improve the likelihood that they’ll buy from you in the future.
Despite the fact that there are many sites to sell your digital goods on, you may want to consider diversifying your revenue streams to help you stand out in the crowd. Having a few different sources of income can help you weather tough economic times, and even help you build a scalable business. The more revenue streams you have, the more likely you are to succeed.
All-star cast of angel investors
SV Angel, Accel Partners, Naval Ravikrant, and a whole host of other investors have recently backed the buzzy payment startup Gumroad. The startup is raising $6 million at a valuation of $100 million. It has already received over $1.1 million in seed funding.
Gumroad has a simple promise. It wants to make it easy for artists to sell their work directly to their followers, without having to go through a traditional online distribution system. It does this by protecting transactions through strict PCI compliance. It also provides creators with the opportunity to work at their own pace, while earning money for their work.
Gumroad has a few beliefs that define its strategy, and they will pay off in the end. Unlike many venture-backed startups, Gumroad is not interested in measuring success by how much money it raises. Instead, it wants to be a part of the creator economy. Ultimately, Lavingia wants Gumroad to be the first company that people click on when they see a link to something. This goal isn’t unusual in today’s market.
In addition to SV Angel, other investors in Gumroad include Josh Kopelman, Naval Ravikrant, Chris Sacca, Matan-Paul Shetrit, Dylan Field, and more. The round is also being backed by part-time creators and YouTubers who are on Gumroad. It will continue to raise through crowdfunding until it goes public.
The company has also teamed up with Atomico, which recently launched a new angel investment program to help participants invest $100k in European startups. Gumroad’s founder and CEO, Sahil Lavingia, is one of the participants.
Angel investor Maria Raga is also involved. She previously founded the creator-centric startup Depop, and she has been a part of Atomico’s angel investment program. Raga has also invested in traveltech startup Journee. She has more money to burn than ever, and she is part of the new Atomico angel investment program.
Gumroad has a unique story. It was founded by a 19-year-old college dropout. It has faced many challenges along the way, but the startup is now on track to grow to a $100 million valuation. Ultimately, Gumroad believes in philosophical approach, and its beliefs will pay off in the end.
Founded in 2011, Gumroad was not the most prominent business in its industry. But its founders believed in a vision that would become a part of the broader creative economy. And with a team of all-star angel investors, Gumroad sold its vision to investors before any other company could.
The company grew and developed over the years, but it was never a billion-dollar business. Instead, it was a company that struggled for ten years. However, its philosophy, which rejects the traditional venture-backed metrics of success, ultimately paid off. The creators that make up Gumroad receive payment for their work, and they can choose to work on their own time.
It’s not easy to predict the future of a creative economy, but Gumroad is confident it will succeed. It’s a company that values philosophy over numbers, and its founders are guiding principles that guide their business. As a result, they’ve rejected traditional metrics of success, such as venture capital, and instead use a flexible timetable and flexible working hours. In this way, they’re not just creating a product; they’re creating a culture.
In an interview with The Business of Business, Gumroad CEO Sahil Lavingia reflected on his experiences with the company and talked about its future. Ultimately, Lavingia believes in the creator economy and believes it will continue to expand. There are a number of other companies, like Cameo, Ko-Fi, and Teachable, that are also expanding the creative economy, and Gumroad isn’t alone in its promise. The company has a lot of promise, and its philosophy is one that will pay off in the end. So, if you’re a creator, you should check out Gumroad. It could be the company that takes your work to the next level.
Russian SVR was behind the SolarWinds attack, according to the US authorities.
The network of numerous U.S. agencies and commercial computer organisations was breached by hackers thanks to the SolarWinds supply-chain attack, which the U.S. government has officially blamed on Russia.
The White House names the Cozy Bear group of skilled hackers as the perpetrators of the cyber espionage operation using the SolarWinds Orion platform in a statement announcing sanctions against Russia for actions against U.S. interests.
Clearly stated attribution
The White House press release reaffirms earlier media allegations citing unofficial sources that the SolarWinds attack was carried out by the Russian Foreign Intelligence Service, or SVR.
The Cyber Unified Coordination Group (UCG) gave an unnamed Russian-backed cyber group credit for the attack at the beginning of January.
Today, the SVR is officially held responsible by the White House for running “the broad-scope cyber espionage campaign” through its hacking unit, also known as APT29, The Dukes, or Cozy Bear.
According to the White House brief, “the U.S. Intelligence Community has high confidence in its judgement of attribution to the SVR.”
The SolarWinds Vulnerability Reactor (SVR) gained access to more than 16,000 machines worldwide by hacking into the software company’s supply chain. However, the campaign exclusively targeted a small number of targets, including state and federal institutions in the United States and businesses in the cybersecurity industry (FireEye, Malwarebytes, Mimecast). The National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) of the United States have issued a joint cybersecurity advisory warning about the top five vulnerabilities the SVR is utilising in attacks against American interests.
Organizations should heed the warning and take the appropriate precautions to spot and guard against the SVR’s nefarious behaviour.
Russian businesses are sanctioned
Today, President Biden signed an executive order prohibiting the use of property in connection with damaging actions taken by the Russian Federation’s government.
The Treasury Department has imposed sanctions on the following Russian technology firms for assisting the SVR, Russia’s Federal Security Service (FSB), and Russia’s Main Intelligence Directorate (GRU) in carrying out malicious cyber activities against the United States using the Executive Order issued today by President Biden.
A research facility and technology park funded and run by the Russian Ministry of Defense is called ERA Technopolis. The Main Intelligence Directorate of Russia (GRU) is housed and supported in ERA Technopolis, which also makes use of the personnel and knowledge of the Russian technology industry to develop military and dual-use technologies.
A business called Pasit, with its headquarters in Russia, carried out research and development in support of the hostile cyberoperations of the Russian Foreign Intelligence Service (SVR).
SVA is a Russian state-owned research facility with a focus on cutting-edge information security solutions. In order to facilitate the SVR’s nefarious cyber operations, SVA carried out research and development.
Neobit is an IT security company with offices in Saint Petersburg, Russia, and its clientele include the Russian Ministry of Defense, SVR, and the Federal Security Service of Russia (FSB). Neobit provided research and development in support of the FSB, GRU, and SVR’s cyber activities. Neobit was also designated today for providing material support to the GRU in violation of E.O. 13694, as modified by E.O. 13757, E.O. 13382, and the Countering America’s Adversaries Through Sanctions Act (CAATSA).
Russian Ministry of Defense, SVR, and FSB are a few of the clients of the IT security company AST. The FSB, GRU, and SVR’s cyber operations received technical assistance from AST. In accordance with E.O. 13694, E.O. 13382, and CAATSA, AST was also assigned today to support the FSB.
Positive Technologies is a Russian IT security company that works with clients in the Russian Government, such as the FSB. Positive Technologies holds sizable conventions that are utilised as FSB and GRU recruiting opportunities in addition to offering computer network security solutions to Russian businesses, foreign governments, and worldwide corporations. In accordance with E.O. 13694, E.O. 13382, and CAATSA, Positive Technologies was also designated today to help the FSB.
Without first requesting and receiving a licence from the Office of Foreign Assets Control, US firms and financial institutions are no longer permitted to conduct business with the aforementioned companies (OFAC).
FBI: Hackers target defence companies with ransomware using BadUSB
In a recently updated flash alert, the Federal Bureau of Investigation (FBI) cautioned US businesses that the financially driven FIN7 cybercriminal gang has been targeting the US military industry with packages carrying infected USB sticks to spread ransomware.
The attackers sent out shipments with “BadUSB” or “Bad Beetle USB” devices marked with the LilyGO brand, which are frequently sold online.
Since August 2021, they have been mailing harmful packages to companies in the transportation and insurance sectors as well as defence companies beginning in November 2021 via the United States Postal Service (USPS) and United Parcel Service (UPS).
Networks that have been hacked by ransomware such as BlackMatter or REvil
Targets were duped into opening the shipments and plugging the USB drives into their computers by FIN7 agents posing as representatives from Amazon and the US Department of Health & Human Services (HHS).
According to reports the FBI has received since August, these harmful shipments may also include letters about COVID-19 regulations, fake gift cards, or forgeried thank-you notes, depending on the impersonated party.
The USB drive immediately registers as a Human Interface Device (HID) Keyboard as the targets plug it into their PCs (allowing it to operate even with removable storage devices toggled off).
Once keystrokes have been injected, malware payloads are subsequently installed on the infected systems.
FIN7’s ultimate objective in such assaults is to get access to the targets’ networks and use a variety of tools, including Metasploit, Cobalt Strike, Carbanak malware, the Griffon backdoor, and PowerShell scripts, to instal ransomware (including BlackMatter and REvil) within a compromised network.
Teddy bears were used to spread malware
The FBI previously issued a warning about a previous string of events in which FIN7 actors pretended to be Best Buy and sent similar shipments containing malicious flash drives to lodging facilities, dining establishments, and retail establishments via USPS.
Reports about these assailants first surfaced in February 2020. Additionally, some of the targets said that the hackers threatened them via phone or email to connect the discs to their systems. The infected parcels supplied by FIN7 also contained objects like teddy bears intended to deceive targets into relaxing their guard, starting at least in May 2020.
Assaults like the ones made by FIN7 are referred to be HID or USB drive-by attacks, and they are only effective if the targets are coerced into inserting unfamiliar USB devices into their workstations or voluntarily do so.
By limiting employee access to USB devices based on their hardware ID or if they have been approved by the company’s security staff, businesses can protect themselves from such assaults.
Heroku acknowledges that a cyberattack resulted in the theft of user credentials.
The GitHub integration OAuth tokens that were taken last month also contributed to the vulnerability of an internal client database, according to a recent statement from Heroku.
The cloud platform, which is owned by Salesforce, acknowledged that the same compromised token was utilised by attackers to steal client credentials that had been hashed and salted from “a database.”
Following yesterday’s contact between BleepingComputer and Salesforce, Heroku released an update.
Even though BleepingComputer doesn’t have any OAuth integrations that leverage Heroku apps or GitHub, we unexpectedly received a password reset email from Heroku, like many other users. This suggested that there was another reason for these password resets.
Forced password resets are explained by Heroku.
Following the security breach from last month, Heroku began this week forcing password resets for a portion of its user accounts without providing a detailed justification.
Some Heroku users received emails on Tuesday evening informing them that their account passwords would be changed as a result of the security breach, with the subject line “Heroku security notification – resetting user account passwords on May 4, 2022.” The email noted that the reset will also invalidate all API access tokens and force users to create new ones.
However, the original security problem being discussed involves threat actors stealing OAuth tokens given to Heroku and Travis-CI and utilising them to retrieve data from secure GitHub repositories belonging to a variety of companies, including npm.
According to a previous statement from GitHub, “On April 12, GitHub Security started an investigation that uncovered evidence that an attacker exploited stolen OAuth user tokens issued to two third-party OAuth integrators, Heroku and Travis-CI, to download data from dozens of organisations, including npm.”
These tokens had previously been used by the OAuth integrations of the Travis-CI and Heroku platforms to link with GitHub and release apps.
Threat actors could access and download data from GitHub repositories belonging to users who gave their accounts permission to the stolen Heroku or Travis CI OAuth apps by stealing these OAuth tokens. Notably, the issue had no effect on GitHub’s infrastructure, processes, or private repositories.
But up until this point, it was still unclear why Heroku would need to reset some user account passwords.
It turns out that threat actors were able to access Heroku’s internal database of client accounts through the compromised token for a Heroku machine account:
Heroku updates its security warning: “Our research also discovered that the same compromised token was used to access a database and exfiltrate the hashed and salted passwords for users’ accounts.”
“Because of this, Salesforce is making sure that all Heroku user passwords are changed and that any potentially vulnerable credentials are updated. We have added more detections and rotated internal Heroku credentials. We are still looking into the token compromise’s origin.”
A reader of YCombinator Hacker News suggested that the “database” being discussed might be what was formerly known as “core-db.”
Craig Kerstiens of the PostgreSQL platform CrunchyData, a former employee of Heroku, is the reader in question.
According to Kerstiens, the internal database is referenced in the most recent report as “a database.”
“It appears [the attacker] had access to internal systems, but I don’t want to guess too much. It was discovered, noted, and reported to Heroku by GitHub. You can’t argue against the need for further clarity, but it would be wise to follow up with Salesforce on that.”
After being contacted by BleepingComputer, Kerstiens acknowledged writing these statements.
Clients refer to ambiguous disclosure as a “train crash.”
In its initial statement about the security breach, Heroku said that accounts using compromised OAuth tokens from Heroku had exploited GitHub repositories to gain unauthorised access.
The business has previously said that “The compromised tokens could give the threat actor access to customer GitHub repos, but not customer Heroku accounts.”
However, the password reset emails legitimately raised consumer worries that Heroku’s investigation might have turned up additional malicious activity by the threat actors that wasn’t being made public.
The disclosure was termed “a complete train wreck and a case study on how not to interact with your customers,” by some YCombinator Hacker News readers.
Heroku has started to shed some light on the issue in an effort to be more open with the community.
According to Heroku, “We embrace transparency and recognise that our customers are looking for a deeper understanding of the implications of this incident and our reaction thus far.”
The cloud platform added that it had reached a stage where more material could be disclosed without jeopardising the ongoing investigation after cooperating with GitHub, threat intelligence suppliers, industry partners, and law enforcement during the inquiry:
A different third-party integrator, Travis-CI, revealed, however, that no client data had been harmed by the event on the business day that followed GitHub’s initial notice.
Users of Heroku are urged to keep checking the security notification page for updates concerning the incident.
Social Media3 years ago
Who is Rouba Saadeh?
Social Media3 years ago
Mati Marroni Instagram Wiki (Model’s Age, Net Worth, Body Measurements, Marriage)
Entertainment2 years ago
12 Online Streaming Sites that Serve as Best Alternatives to CouchTuner
Entertainment3 years ago
Movierulz Website: Movierulzz 2021 Latest Movies on Movierulz.com
Social Media3 years ago
Brooke Daniells: Everything About Catherine Bell’s Partner
Entertainment2 years ago
4MovieRulz Download Telegu Movies | 3MovieRulz | Movierulz.com
Guides2 years ago
How to make selfies with Dorian Rossini
Entertainment2 years ago
Mangastream is Not Functional – How About Taking Alternative Online Movie Sites in 2021