Security Bulletins

November 30, 2023, 9:00 AM PST

The Trade Desk Cybersecurity Team is aware of the security incident disclosed on Oct 20, 2023, affecting Okta’s customer support management system, by which The Trade Desk was not affected.

Following new developments published by Okta on Nov 29, 2023, The Trade Desk is taking steps to determine any impact to our customers. Please note, The Trade Desk previously implemented best practices such as MFA and phishing awareness in our environments and is working to ensure additional recommendations are in place.

At this time, we are not aware of any impact to The Trade Desk or its customers and have not been notified of such. If that or any other developments surface, this bulletin will be updated accordingly.

If you have any questions, please direct all inquiries to infosec@​thetradedesk.​com.

June 28, 2023, 10:00 AM PST

The Trade Desk Cybersecurity Team is aware of and continuing our analysis of CVE-2023 – 34362, CVE-2023 – 35036, and CVE-2023 – 35708 related to Progress MOVEit File Transfer software.

At this time, we can confirm that The Trade Desk does not utilize the MOVEit File Transfer software. If we become aware of unauthorized access to customer data, we will notify affected customers without undue delay.

If you have any questions, please direct all inquiries to infosec@​thetradedesk.​com.

December 10, 2022, 10:00 PM PST

The Trade Desk was made aware of CVE-2022 – 3602 and CVE-2022 – 3786 which affected versions of OpenSSL in late October 2022. Immediately upon disclosure The Trade Desk security teams began an exposure discovery process. Through this process an extremely limited number of assets were identified to have a potentially affected version which were patched immediately out of abundance of caution once the OpenSSL patches were issued, and after the OpenSSL project had also downgraded the severity of the vulnerability from Critical to Serious. 

To date, there have been no identified indicators of compromise within The Trade Desk Platform or Corporate environments. In addition to monitoring the threat landscape for attacks, penetration testing our own attack surface and monitoring our bug bounty program for submissions, we are continuing to evaluate any potential impact from affected third-party services in our supply chain.

If you have any questions, please direct all inquiries to infosec@​thetradedesk.​com.

December 15, 2021, 4:00 PM PST

The Trade Desk Security Team is aware of and is continuing our analysis of the remote code execution vulnerability CVE-2021 – 44228 (also known as Log4Shell) and the denial of service (DoS) vulnerability CVE-2021 – 45046 related to Apache Log4j, a logging tool used in many Java-based applications.

We have analyzed our source code and determined that the affected versions of Apache Log4j (v2.0 through v.2.15) were not in use within The Trade Desk Platform codebase.

During our investigation, our teams identified various third-party tools in use throughout our enterprise that were running versions of Log4j affected by CVE-2021 – 44228. These tools were immediately upgraded to Log4j v2.15 to mitigate this vulnerability. In response to the subsequently disclosed Denial of Service vulnerability (CVE-2021 – 45046), these tools are now in the process of being upgraded to Log4j v2.16.​

To date, there have been no identified indicators of compromise within The Trade Desk Platform or Corporate environments. In addition to monitoring the threat landscape for attacks, penetration testing our own attack surface and monitoring our bug bounty program for submissions, we are continuing to evaluate any potential impact from affected third-party services in our supply chain.

If you have any questions, please direct all inquiries to infosec@​thetradedesk.​com.​

December 13, 2021, 4:00 PM PST

The Trade Desk Security Team is aware of and is continuing our analysis of the remote code execution vulnerability CVE-2021 – 44228 (also known as Log4Shell) related to Apache Log4j, a logging tool used in many Java-based applications, disclosed on December 9^th, 2021.

To date, we have analyzed the platform source code and determined that the affected versions of Apache Log4j are not in use within the application codebase.

In addition to monitoring the threat landscape for attacks, penetration testing our own attack surface and monitoring our bug bounty program for submissions, we are evaluating any potential impact from affected third-party services in use in our environment.

If you have any questions, please direct all inquiries to infosec@​thetradedesk.​com.​