2022 04 20 Heroku / Github Stolen OAuth Tokens Attacks

Our security team is investigating the impact of the recent attacks to

Github and HEROKU. Thread level is low considering Heroku has already revoked all affected API Tokens, there is little/no risk of future intrusions. We are currently applying mitigation measures to help keep Digesto safe.

Digesto Security Overview
For Digesto Startup, Growth, Publisher, and Agency plans, Digesto does not access nor store any data related to Marketo lead or lead activity. We store only the program and campaign identification related to the execution of Digesto Email distribution services, Digesto configurations, and account related information.

For Digesto One-to-One Personalization (BETA), Digesto will access Marketo Lead records. The lead data accessible is controlled/restricted to identified subscribers to the Blog/Newsfeed Digest email.

GDPR Compliance and Marketo Data Access

Digesto does not process any Personally Identifiable Information nor access any lead record data from your Marketo Instance.

User Authentication

Access to the Digesto application requires a username and password, and a HTTPS / SSL certificate is required for all to access the Digesto application.

How We Access Marketo
Although some accounts created before August 2016 may use SOAP API, Digesto otherwise uses REST API to connect to your Marketo Instance. You must share Marketo API keys with Digesto so that it can authenticate to your Marketo instance. A Marketo admin can control or revoke Digesto's API access by generating new SOAP or REST API Keys or by deactivating the related REST Custom Web Service. See Marketo Custom REST Web Service Documentation for more details. Your Digesto admin panel allows you to update/edit your Marekto REST API Credentials.

On all Plans, Digesto will access the following Data/Objects:
- Marketo Program and Program Tokens;
- Marketo Smart Campaigns;

On the One-to-One Personalization (BETA) plan only, in addition to the above, Digesto will also process the following Data/Objects and the following personal information:

  • First Name

  • Last Name

  • Email Address

  • Unique ID (Marketo Lead ID)

  • Blog Categories

  • Blog Authors

Data Storage
The Digesto application databases are stored on Amazon AWS Relational Database Service (Amazon RDS), ensuring great performance and resizable capacity. The physical and software security environment at Amazon is described on the Amazon AWS Website. All data is also backed up on a daily basis and retained for a period of thirty-five days.

Encryption in transit: All the information sent from Digesto to Marketo goes through encrypted data transfer using SHA256 encryption method.
Encryption at rest: All sensitive information, including users' passwords and Marketo API authentication credentials and personal data are encrypted before we store in our DB using AES 128 bits encryption.

Payment Information
Digesto does not handle or store any billing or payment information. Our eCommerce platform uses Chargebee subscription billing/invoicing and payment processing done by Stripe and related Data is stored on these platforms.

Whitelisting - User Agent & IP Address

Digesto uses the following user agent when accessing RSS feeds:
Digesto/1.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0
In the event you have extra firewall/security on your server (and feed), you may need to whitelist Digesto's user agent above so as to allow Digesto to access your feed.

You can also use these fixed IP address to whitelist the Digesto server access to your RSS feed.

Access Role

Digesto is a single-user platform. When you register, an "Administrator" role is granted that allows the following actions:

  • Configure Marketo API Access

  • Create, Updated, Delete, Edit, Test, and Activate Digest.

  • Manage Account (contact info, email, payment method)

  • Manage subscription

  • Access Logs (Read Only)

Log4J Critical Vulnerability

On Dec 9th 2021 a critical vulnerability was uncovered in Log4J. Please note that Digesto does not use this framework and therefore, it is not directly affected by this threat. We have also confirmed that our upstream vendors have applied mitigation measures and we believe that these mitigations should cover with what is currently known about these vulnerabilities. This "incident" has been closed.

Did this answer your question?