HubSpot (www.hubspot.com) is the customer platform that helps businesses grow better with AI-powered engagement hubs, a Smart CRM, and a wide-ranging, connected ecosystem. HubSpot’s primary security focus is to safeguard our customers’ data. To this end, HubSpot has implemented a comprehensive security program, with teams dedicated to Corporate, Product, Infrastructure, and Physical Security that partner with Compliance, Legal, and Privacy to own the governance process. Our Chief Information Security Officer oversees the implementation of security safeguards across the HubSpot enterprise.
Documents
We do not externally share policy documentation. Please reference our SOC 2 Type 2 report for more detail surrounding the policies and procedures that we have in place.
On October 30, 2024, at 6:45 pm ET, HubSpot was made aware of a vulnerability in Lottie Player, a widely-used JavaScript animation library which enables animations created in Adobe After Effects to integrate into web and mobile applications. Affected customers may have included Lottie Player on their HubSpot website independently, or may have used a Marketplace template which included Lottie Player.
Affected customers would have seen an unintended pop-up on their webpage(s) directing them to “Connect Wallet” or “Get a Wallet”.
The vulnerability has been identified and Lottie Player maintainers implemented a fix at 7:30 pm ET. For more context on the supply chain attack targeting Lottie Player, see LottieFiles’ official statement and timeline here.
No additional action is needed from customers.
If you are concerned about the security of Lottie Player, please ensure you are running the latest released version (2.0.8), or you can remove associated code from your HubSpot website. This may mean removing a template or working with template creators to find alternative modules. For specific guidance, we encourage you to review this information with your IT or Security team.
HubSpot is encouraging customers to stay alert of bad actors who may be impersonating HubSpot employees.
Through recent reports, we have found that bad actors are spoofing HubSpot support numbers and/or impersonating HubSpot employees in an attempt to gain access to HubSpot accounts.
Here’s how to spot a HubSpot impersonator:
-
Receiving an unprompted call from a HubSpot employee. HubSpot’s support team will not proactively reach out to you unless you have initiated a call back through your account. If you are unsure whether a call is from a legitimate HubSpot employee, hang up and contact us using one of our contact methods.
-
The caller instills a sense of fear or urgency. We will never use scare tactics to convince you to share account information. We will never ask you to share your HubSpot account credentials, including your password and two-factor authentication code(s).
Ensure your account is secure by:
- Regularly reviewing all users on your HubSpot account(s) to ensure no unrecognized users have been added, and remove users who no longer need access to reduce risk.
- Requiring two-factor authentication for all accounts and HubSpot users.
- Consider IP allowlisting, which allows you to limit logins to trusted IP addresses.
- Reviewing your account activity and reporting any suspicious activity with HubSpot Support.
- Visiting our security health tool to learn about more ways to improve your account security.
HubSpot is thrilled to announce a new product feature which allows customers to store Sensitive Data within HubSpot. We have published a new Sensitive Data FAQ and Sensitive Data Implementation Guide to the Trust Center to help empower your understanding and use of these new product features.
We have also updated a number of other Trust Center resources, including the Compliance FAQs, and the CAIQ and SIG pre-filled questionnaires.
HubSpot is aware of recent phishing email campaigns designed to look like HubSpot account notifications. The emails have used various subject lines such as “New Login Detected/Location” and “Action Required: Validate Your Account.” The emails appear to come from a HubSpot sender, imply a potential account compromise and may contain a malicious link to "Re-Login" or "Validate your account."
These emails are fraudulent and were not sent from HubSpot. Please do not click any link or provide any personal information, such as email addresses or passwords, to the sender or through the web pages linked within these emails.
All legitimate communications from HubSpot, including password reset, account validation, and renewal emails, are sent from the hubspot.com domain. Please review the “sent from:” email address if you receive suspicious or unusual emails.
Our investigation is ongoing and we will provide updates on this page as needed. If you receive this, or any other suspicious email impersonating HubSpot, please report it to Customer Support or your Customer Success Manager so we can investigate.
HubSpot is excited to announce the release of our AI Trust FAQs, now available for download in the Trust Center. This new resource addresses common questions surrounding the security, privacy, compliance, and governance of AI products offered by HubSpot.
In addition, the 2024 Application Pentest Attestation is now available for download. This report provides a summary of our latest third-party penetration test against the HubSpot web application.