sequelize version 3.0.0, two security related changes were introduced:
findOneno longer takes a string / integer / binary argument to represent a primaryKey. Use
where: "raw query"is no longer legal, you must now explicitly use
where: ["raw query", [replacements]]
Upgrade to version 3.0.0 or greater.