HubSpot June 2024 Security Incident

Trust Center

Start your security review
View & download sensitive information
Search items

HubSpot is the customer platform that helps businesses connect and grow better. HubSpot delivers seamless connection for customer-facing teams with a unified platform that includes AI-powered engagement hubs, a Smart CRM, and a connected ecosystem with over 1,500 App Marketplace integrations, a community network, and educational content. Learn more at

HubSpot’s primary security focus is to safeguard our customers’ data. To this end, HubSpot has invested in the appropriate controls to protect and service our customers. This investment includes the implementation of dedicated Corporate, Product, Infrastructure, and Physical Security programs. These teams are responsible for HubSpot’s comprehensive security program, partnering with our Compliance, Legal and Privacy teams to own the governance process. Our Chief Information Security Officer oversees the implementation of security safeguards across the HubSpot enterprise.

Start your security review
View & download sensitive information
Security & Compliance Overview

We do not externally share policy documentation. Please reference our SOC 2 Type 2 report for more detail surrounding the policies and procedures that we have in place.

Trust Center Updates

HubSpot June 2024 Security Incident

IncidentsCopy link

HubSpot June 2024 Security Incident Investigation Complete

As of July 12, 2024, our investigation is complete. At the close of our investigation, we confirmed that bad actors were able to gain unauthorized access to less than 30 HubSpot customer portals. All impacted customers have been notified via email and steps have been taken to secure their accounts.

The incident began June 22, 2024 and was resolved by June 27, 2024. We have seen no new instances of unauthorized access in 14 days.

In response to this incident, our Security team:

  • Deactivated and blocked bad actor accounts as we identified them;
  • Audited login and signup activity to identify all affected customers;
  • Reset passwords of some users based on the results of the investigation;
  • Provided audits of portal activity to impacted customers.

The core tenets of HubSpot’s security program are to safeguard customer data and to maintain customer trust. HubSpot uses a defense-in-depth approach to implement layers of security throughout our organization. We’re passionate about developing new security controls and continuously refining our existing ones to protect our customers. Please see our Security Overview document and request a copy of our SOC 2 Type 2 Report for more information on our security program overall.

Published at N/A

July 1, 2024 Update: HubSpot June 2024 Security Incident

HubSpot continues to investigate this incident, however as of 12pm ET on July 1, 2024, we have seen no new instances of unauthorized access in over 90 hours. We have contacted all impacted customers at this time. We will post an update at the end of the investigation.

Published at N/A*

On June 22, 2024, HubSpot identified a security incident that involved bad actors targeting a limited number of HubSpot customers and attempting to gain unauthorized access to their HubSpot accounts.

HubSpot triggered our incident response procedures, and since June 22, we have contacted impacted customers and taken necessary steps to revoke the unauthorized access to protect our customers and their data. In addition, the HubSpot Security team has been actively investigating and blocking attempts to gain access to customer accounts.

While our investigation is still underway, we believe based on our initial assessment that the bad actors were able to gain unauthorized access to less than 50 HubSpot accounts.

As of 4:00 pm ET, June 28, we have seen no new instances of unauthorized access in the last 24 hours, and we have contacted all impacted customers at this time.

Though the investigation is ongoing, based on our current assessment of the incident, we believe that the impact will be isolated to a small subset of the HubSpot customer base. We will post an update at the end of the investigation in the spirit of continued transparency. We have also posted this update to our Investor Relations page at

Published at N/A*

HubSpot Achieves EU Cloud Code of Conduct Level 2 Compliance, Report Now Available

ComplianceCopy link

We are proud to share that HubSpot is now certified by the EU Cloud Code of Conduct for demonstrating GDPR compliance as a cloud service provider.

Achieving the Code’s Level 2 Compliance Mark reinforces our commitment to safeguarding our customer’s data and our high standards for security, privacy and compliance.

The report is available for download from the HubSpot Trust Center, and the EU Cloud Code of Conduct public register.

Published at N/A*

HubSpot’s 2024 SOC 2 and Updated Security Documents Now Available

GeneralCopy link

HubSpot is pleased to announce the release of our 2024 SOC 2 Type II report, now available for download in the Trust Center. The report covers the period of 5/1/2023 - 4/30/2024 and includes several new controls, as well as enhancements to existing controls, that strengthen our security and compliance posture. All systems and features that have launched in General Availability on or before 4/30/2024 are included in the report, including most AI-powered features (excluding ChatSpot).

In addition to our SOC 2, we’re excited to share the following resources as part of our commitment to accessible & transparent information regarding our approach to security, privacy and compliance:

  • Sensitive Data Beta FAQs - New!
  • Compliance FAQs - New!
  • SOC 3 - Updated
  • Corporate Pentest Attestation - Updated
  • Pre-filled security questionnaires:
    • CAIQ v4 - Updated
    • SIG Lite - Updated
  • Clearbit SOC 2 Report - Legacy
  • Clearbit TRUSTe Certification - Legacy
Published at N/A

HubSpot Update on Dropbox Sign Security Incident

IncidentsCopy link

On May 2, 2024, HubSpot was notified by our service provider, Dropbox, about a security incident involving their e-signatures service. This service is used by some HubSpot customers as part of the quoting tool.

What Happened: On April 24, Dropbox discovered a third party gained unauthorized access to Dropbox Sign, a tool used by some HubSpot customers in Sales Hub and Commerce Hub.

Based on Dropbox’s investigation, HubSpot customers’ contacts who have received or signed a quote, up to and including April 24, through our e-signatures tool had their email address and name exposed. Additionally, the email address and name of any countersigner on your HubSpot portal has also been exposed. However, there is no evidence to suggest unauthorized access to the contents of HubSpot customers’ quotes, or their payment information.

Customers or customer contacts who created a Dropbox Sign account also had information such as email addresses, usernames, phone numbers and hashed passwords exposed. In addition, general account settings and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication may have been compromised. Dropbox will be contacting these individuals directly.

Actions to Date & Next Steps: HubSpot rotated any API keys and OAuth tokens that may have been exposed to re-secure our e-signature integration. Additionally, we have rotated the passwords for our Dropbox Sign user accounts and, at this time, have found no evidence of unauthorized access to HubSpot’s Dropbox Sign account. See what actions Dropbox has taken here.

At this point, all potentially affected customers have been notified via email. We will continue to monitor the situation and provide updates to affected customers if there are any changes that impact your HubSpot account.

Published at N/A

HubSpot Update on HTTP/2 and Libwebp Vulnerabilities

VulnerabilitiesCopy link

Recently two zero-day vulnerabilities were announced, one related to HTTP/2 (CVE-2023-44487) and the other related to the libwebp library (CVE-2023-4863).

HubSpot has conducted thorough investigations and is fully protected against both vulnerabilities.

There is no evidence of any exploitation, and there is no action required from HubSpot customers. We have checked with our sub-processors regarding both vulnerabilities, and are monitoring their responses.

Published at N/A

HubSpot Not Impacted by MOVEit Vulnerabilities

VulnerabilitiesCopy link

Recently two zero-day vulnerabilities were announced related to the MOVEit file transfer application. HubSpot has conducted a careful review of our Product and Corporate infrastructures and can confirm that there is no use of the MOVEit applications internally at HubSpot. Based upon our review, HubSpot is not impacted by CVE-2023-34362 or CVE-2023-35036.

Additionally, we have reached out to our 3rd party vendors and have confirmed that at this time, there is no evidence of compromise related to these CVEs to any of HubSpot's 3rd party vendors.

Published at N/A

HubSpot's 2023 SOC 2 Type 2 & SOC 2 Type 3 Reports Now Available

ComplianceCopy link

HubSpot is excited to announce the release of our 2023 SOC2 Type 2 and SOC3 reports, which are now available for download in the Trust Center. The reports cover the period from 5/1/22-4/30/23. Our new reports include all Hubs in one report, including OpsHub which was in a standalone report for the previous period.

Published at N/A

HubSpot's SOC 2 & SOC 3 Reports

ComplianceCopy link

Update to HubSpot's SOC 2 & SOC 3 Now Available

For this year’s audit, we asked for a second helping of SOC reports.

Given the release timing and infrastructure of HubSpot’s new product, Operations Hub (Ops Hub), we elected to cover this in a separate SOC 2 Type II Report. HubSpot’s Ops Hub SOC 2 report covers a 6 month period dating from 11/1/21-4/30/22. The CRM, Marketing Hub, Sales Hub, Service Hub, and CMS Hub are covered under the HubSpot Platform SOC 2 report.

Report Changes
  • In our efforts to comply with the EU data localization requirements per the GDPR, HubSpot launched a new EU Data Center on 07/19/2021. SOC 2 controls were designed/implemented/validated for the EU instances of in-scope systems prior to the EU data center launch and these systems are included in our new report!
  • As of 01/15/2022, HubSpot launched a new HubSpot Payments Tool powered by Stripe. SOC 2 controls were designed/implemented/validated for Stripe prior to the public launch and are included in our new report.
Published at N/A

HubSpot's SOC 2 Type 2 & SOC 3 Now Available for Download!

We are delighted to announce that HubSpot now has a SOC 2 Type II report and SOC 2 report available for our customers and prospects! These reports represent an independent third-party verification that HubSpot has specific controls in place governing the security and availability of our product, as well as the confidentiality of our customers' data.

Published at N/A

HubSpot's Transfer Impact Assessment (TIA)

ComplianceCopy link

HubSpot's TIA Now Available in More Languages!

We're excited to share that our TIA is now available in French, German, Portuguese, and Spanish to help support our EMEA customers.

Published at N/A*

HubSpot's TIA Now Available for Download!

We're delighted to announce that HubSpot now makes its Transfer Impact Assessment available for customers and prospects on a self-serve basis.

The new SCCs require data exporters (i.e. customers) to document their data transfer. Our TIA includes infomation to support customers in conducting a risk assessment of transferring data outside of the EU.

Published at N/A*

HubSpot's Response to Log4J

IncidentsCopy link

Update to HubSpot's Response to Log4J

A vulnerable version of Log4j was discovered in HubSpot’s infrastructure by a security researcher and responsibly disclosed to us through the HubSpot bug bounty program on August 28, 2022.

HubSpot investigated the reported findings and performed the following actions:

  • Confirmed that a small legacy portion of our logging infrastructure contained the vulnerable version of Log4j
  • Patched and fixed the affected service to remove the vulnerability
  • Inspected multiple log sources to confirm that no malicious attempts to exploit the vulnerability had been found

At this time, no action is required by HubSpot customers. HubSpot Security will continue to monitor for any potential exposure to this vulnerability and assess additional safeguards to help prevent future exploitation. We will update this page as needed.

Published at N/A*

HubSpot's Response to Log4J

HubSpot is aware of ongoing security issues related to open-source Apache “Log4j2”. We know that the security of your HubSpot tools is especially important given the uncertainty around these events. HubSpot customer-facing tools do not use Log4j2 as a logging tool, and are not susceptible to the vulnerabilities that have been discovered thus far.

We are committed to continued monitoring of the situation, thorough review of the HubSpot tools as new information becomes available, and to do our best to provide you with the information you need to feel secure for your business.

Log4J Vulnerability Background

Log4j2 is an open-source Java-based logging tool maintained by the Apache Software Foundation, and used by many services.

HubSpot Response & Actions Taken

We have performed a thorough investigation and found no HubSpot customer-facing tools that use Log4j2.

Since we became aware of the vulnerability, HubSpot has taken a number of steps to identify and mitigate any risk to our products and our customers. We have implemented:

  • Full scans of all production services to confirm that they don't have a dependency on the Log4j2 library. Precautions to prevent use of the vulnerable version of Log4j2 in future systems.
  • Updated Web Application Firewall rules to avert exploitation attempts.
  • We will continue regular vulnerability scans on all HubSpot systems as outlined in our security resources.
  • We have requested details of any potential vulnerabilities from all sub-processors of the HubSpot product, and are monitoring their responses. HubSpot’s most important sub-processors, including Amazon Web Services, Google Cloud, Cloudflare, and Snowflake were either not vulnerable or have already begun patching the vulnerability across their networks.

Conclusion & Update

HubSpot Corporate Security, which monitors the internal tools that HubSpot employees use, is systematically reviewing each HubSpot Corporate internal system. If any system is found to be vulnerable, we will rapidly patch the instance, or apply other mitigation tactics as advised by the vendors we use.

We will continue to investigate any potential exposure to this vulnerability and alert our customers as required. At this time, HubSpot customers do not need to take any action related to their use of HubSpot software.

If you have specific questions related to this event, please contact HubSpot Support.

Published at N/A*
Powered bySafeBase Logo