Trust & Compliance Center

Dear Partner,

We want to provide clarity regarding the recently reported Shai Hulud 2.0 supply-chain malware affecting specific open-source packages. SavvyMoney has completed an internal review and has not been impacted.

Validated Findings

• There is no evidence of impact to SavvyMoney’s codebase, infrastructure, partner integrations, or production systems.
• Our security team performed a full review of dependency packages, development pipelines, and build systems. No affected components were identified.
• As part of standard protocol, we confirmed all credentials, pipeline secrets, and access tokens remain secure and rotated as required by policy.
• All SavvyMoney services are operating normally, and no action is required from partners.

We take supply-chain security seriously and continue to monitor this event in coordination with our security vendors and ecosystem partners. If new information emerges, we will notify you.

If you have any questions, please contact SavvyMoney Security at security@savvymoney.com.

Thank you,
SavvyMoney Security Team

We know about the recent Shai-Hulud npm supply-chain attack, in which malicious versions of multiple npm packages were published with a post-install script that harvested sensitive data and propagated further via compromised tokens.

At this time, SavvyMoney is not impacted by this attack. We have reviewed our dependencies and supply chain; no affected package versions have been used within our platform.

What We Do to Keep You Secure

• We maintain a rigorous dependency audit process, including automated and manual reviews.
• All third-party libraries are vetted for known vulnerabilities before being used.
• We monitor threat intelligence feeds continuously and have teams ready to respond to emerging security risks.
• Any credentials, tokens, or secrets in use follow strict access controls and are rotated regularly.
• We use secure build pipelines, code signing, and environment isolation to limit exposure.

What You Can Do

While you can trust that SavvyMoney is not impacted, we encourage clients and users to:

• Review your own environments for any dependency vulnerabilities.
• Ensure that npm tokens, GitHub tokens, or other credentials are stored securely.
• Rotate any keys or secrets if there is suspicion of exposure.

Recent reports confirm that a data breach at TransUnion affected approximately 4.4 million U.S. consumers. The incident was tied to a third-party Salesforce application used in their consumer support operations. No TransUnion credit databases, credit scores, or credit reports were impacted.

SavvyMoney’s platform and Salesforce environment were not affected. We do not use Salesloft, Drift, or similar Salesforce integrations targeted in this campaign.

TransUnion will notify any affected consumers directly and provide credit monitoring services. SavvyMoney continues to monitor the broader Salesforce supply chain issue and validate vendor integrations as part of our security practices.

We proudly announce that SavvyMoney has achieved the Cloud Security Alliance (CSA) STAR Level II Certification. This prestigious certification underscores our unwavering commitment to cloud security and data protection.

The CSA STAR Level II Certification is a rigorous, independent assessment that evaluates the security measures we have implemented to protect our clients' data. This certification validates our robust security framework and demonstrates our dedication to maintaining the highest cloud security standards.

At SavvyMoney, we strive to give our clients the utmost confidence in our security practices. Achieving the CSA STAR Level II Certification reinforces our promise to safeguard sensitive information and deliver exceptional service.

Please login to download the CSA STAR Level II Certification.

Dear IT Teams,

As part of our commitment to maintaining the highest standards of email communication security and compliance, SavvyMoney is actively updating our email server configurations. We strongly encourage you to review and update your email server settings. This initiative is crucial for avoiding delivery issues and fortifying the security of our mutual email interactions.

Important Update - TLS Configuration and Certificate Verification:

Starting March 31st, 2024, SavvyMoney will enforce stricter security measures regarding email communications. Specifically, we will verify the validity of public TLS certificates and ensure that hostnames match accordingly. This measure is crucial to maintaining secure and trusted communication channels.
If your organization's email servers possess certificates that need to be updated or valid according to these new standards, SavvyMoney cannot send emails to your domain. This step underscores our commitment to safeguarding our digital ecosystem against potential security threats.

Recommendations for IT Teams:

1. Please review and Update TLS Certificates: Ensure all certificates are current and valid and properly match the hostnames to comply with our upcoming security protocols.
2. Verify DNS Settings: Reassess your DNS configurations, focusing on Sender Policy Framework (SPF), Domain-based Message Authentication, Reporting & Conformance (DMARC), and DomainKeys Identified Mail (DKIM) settings. Correct and secure DNS settings are vital for email authentication and protection against malicious activities.

TLS Configuration and Enforcement by Major Providers:

Please remember that major email service providers, such as Office365 and Google, have mandated using Transport Layer Security (TLS) and certificate validation since 2020. If your email servers are not aligned with these practices, we recommend taking immediate action to ensure compliance.
Thank you for your prompt attention to this crucial matter.