2022 04 20 Heroku / Github Stolen OAuth Tokens Attacks
Our security team is investigating the impact of the recent attacks to
Github and HEROKU. Thread level is low considering Heroku has already revoked all affected API Tokens, there is little/no risk of future intrusions. We are currently applying mitigation measures to help keep Digesto safe.
Digesto Security Overview
For Digesto Startup, Growth, Publisher, and Agency plans, Digesto does not access nor store any data related to Marketo lead or lead activity. We store only the program and campaign identification related to the execution of Digesto Email distribution services, Digesto configurations, and account related information.
For Digesto One-to-One Personalization (BETA), Digesto will access Marketo Lead records. The lead data accessible is controlled/restricted to identified subscribers to the Blog/Newsfeed Digest email.
GDPR Compliance and Marketo Data Access
Digesto does not process any Personally Identifiable Information nor access any lead record data from your Marketo Instance.
Access to the Digesto application requires a username and password, and a HTTPS / SSL certificate is required for all to access the Digesto application.
How We Access Marketo
Although some accounts created before August 2016 may use SOAP API, Digesto otherwise uses REST API to connect to your Marketo Instance. You must share Marketo API keys with Digesto so that it can authenticate to your Marketo instance. A Marketo admin can control or revoke Digesto's API access by generating new SOAP or REST API Keys or by deactivating the related REST Custom Web Service. See Marketo Custom REST Web Service Documentation for more details. Your Digesto admin panel allows you to update/edit your Marekto REST API Credentials.
On all Plans, Digesto will access the following Data/Objects:
- Marketo Program and Program Tokens;
- Marketo Smart Campaigns;
On the One-to-One Personalization (BETA) plan only, in addition to the above, Digesto will also process the following Data/Objects and the following personal information:
Unique ID (Marketo Lead ID)
The Digesto application databases are stored on Amazon AWS Relational Database Service (Amazon RDS), ensuring great performance and resizable capacity. The physical and software security environment at Amazon is described on the Amazon AWS Website. All data is also backed up on a daily basis and retained for a period of thirty-five days.
Encryption in transit: All the information sent from Digesto to Marketo goes through encrypted data transfer using SHA256 encryption method.
Encryption at rest: All sensitive information, including users' passwords and Marketo API authentication credentials and personal data are encrypted before we store in our DB using AES 128 bits encryption.
Digesto does not handle or store any billing or payment information. Our eCommerce platform uses Chargebee subscription billing/invoicing and payment processing done by Stripe and related Data is stored on these platforms.
Digesto uses the following user agent when accessing RSS feeds:
Digesto/1.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0
In the event you have extra firewall/security on your server (and feed), you may need to whitelist Digesto's user agent above so as to allow Digesto to access your feed.
Digesto is a single-user platform. When you register, an "Administrator" role is granted that allows the following actions:
Configure Marketo API Access
Create, Updated, Delete, Edit, Test, and Activate Digest.
Manage Account (contact info, email, payment method)
Access Logs (Read Only)
Log4J Critical Vulnerability
On Dec 9th 2021 a critical vulnerability was uncovered in Log4J. Please note that Digesto does not use this framework and therefore, it is not directly affected by this threat. We have also confirmed that our upstream vendors have applied mitigation measures and we believe that these mitigations should cover with what is currently known about these vulnerabilities. This "incident" has been closed.