HubSpot is the customer platform that helps businesses connect and grow better. HubSpot delivers seamless connection for customer-facing teams with a unified platform that includes AI-powered engagement hubs, a Smart CRM, and a connected ecosystem with over 1,500 App Marketplace integrations, a community network, and educational content. Learn more at www.hubspot.com.
HubSpot’s primary security focus is to safeguard our customers’ data. To this end, HubSpot has invested in the appropriate controls to protect and service our customers. This investment includes the implementation of dedicated Corporate, Product, Infrastructure, and Physical Security programs. These teams are responsible for HubSpot’s comprehensive security program, partnering with our Compliance, Legal and Privacy teams to own the governance process. Our Chief Information Security Officer oversees the implementation of security safeguards across the HubSpot enterprise.
We do not externally share policy documentation. Please reference our SOC 2 Type 2 report for more detail surrounding the policies and procedures that we have in place.
Trust Center Updates
HubSpot is thrilled to announce a new product feature which allows customers to store Sensitive Data within HubSpot. We have published a new Sensitive Data FAQ and Sensitive Data Implementation Guide to the Trust Center to help empower your understanding and use of these new product features.
We have also updated a number of other Trust Center resources, including the Compliance FAQs, and the CAIQ and SIG pre-filled questionnaires.
HubSpot is aware of recent phishing email campaigns designed to look like HubSpot account notifications. The emails have used various subject lines such as “New Login Detected/Location” and “Action Required: Validate Your Account.” The emails appear to come from a HubSpot sender, imply a potential account compromise and may contain a malicious link to "Re-Login" or "Validate your account."
These emails are fraudulent and were not sent from HubSpot. Please do not click any link or provide any personal information, such as email addresses or passwords, to the sender or through the web pages linked within these emails.
All legitimate communications from HubSpot, including password reset, account validation, and renewal emails, are sent from the hubspot.com domain. Please review the “sent from:” email address if you receive suspicious or unusual emails.
Our investigation is ongoing and we will provide updates on this page as needed. If you receive this, or any other suspicious email impersonating HubSpot, please report it to Customer Support or your Customer Success Manager so we can investigate.
HubSpot is excited to announce the release of our AI Trust FAQs, now available for download in the Trust Center. This new resource addresses common questions surrounding the security, privacy, compliance, and governance of AI products offered by HubSpot.
In addition, the 2024 Application Pentest Attestation is now available for download. This report provides a summary of our latest third-party penetration test against the HubSpot web application.
HubSpot June 2024 Security Incident Investigation Complete
As of July 12, 2024, our investigation is complete. At the close of our investigation, we confirmed that bad actors were able to gain unauthorized access to less than 30 HubSpot customer portals. All impacted customers have been notified via email and steps have been taken to secure their accounts.
The incident began June 22, 2024 and was resolved by June 27, 2024. We have seen no new instances of unauthorized access in 14 days.
In response to this incident, our Security team:
- Deactivated and blocked bad actor accounts as we identified them;
- Audited login and signup activity to identify all affected customers;
- Reset passwords of some users based on the results of the investigation;
- Provided audits of portal activity to impacted customers.
The core tenets of HubSpot’s security program are to safeguard customer data and to maintain customer trust. HubSpot uses a defense-in-depth approach to implement layers of security throughout our organization. We’re passionate about developing new security controls and continuously refining our existing ones to protect our customers. Please see our Security Overview document and request a copy of our SOC 2 Type 2 Report for more information on our security program overall.
July 1, 2024 Update: HubSpot June 2024 Security Incident
HubSpot continues to investigate this incident, however as of 12pm ET on July 1, 2024, we have seen no new instances of unauthorized access in over 90 hours. We have contacted all impacted customers at this time. We will post an update at the end of the investigation.
On June 22, 2024, HubSpot identified a security incident that involved bad actors targeting a limited number of HubSpot customers and attempting to gain unauthorized access to their HubSpot accounts.
HubSpot triggered our incident response procedures, and since June 22, we have contacted impacted customers and taken necessary steps to revoke the unauthorized access to protect our customers and their data. In addition, the HubSpot Security team has been actively investigating and blocking attempts to gain access to customer accounts.
While our investigation is still underway, we believe based on our initial assessment that the bad actors were able to gain unauthorized access to less than 50 HubSpot accounts.
As of 4:00 pm ET, June 28, we have seen no new instances of unauthorized access in the last 24 hours, and we have contacted all impacted customers at this time.
Though the investigation is ongoing, based on our current assessment of the incident, we believe that the impact will be isolated to a small subset of the HubSpot customer base. We will post an update at the end of the investigation in the spirit of continued transparency. We have also posted this update to our Investor Relations page at https://ir.hubspot.com/news-releases/news-release-details/hubspots-statement-regarding-june-22-2024-security-incident.
HubSpot Achieves EU Cloud Code of Conduct Level 2 Compliance, Report Now Available
ComplianceCopy linkWe are proud to share that HubSpot is now certified by the EU Cloud Code of Conduct for demonstrating GDPR compliance as a cloud service provider.
Achieving the Code’s Level 2 Compliance Mark reinforces our commitment to safeguarding our customer’s data and our high standards for security, privacy and compliance.
The report is available for download from the HubSpot Trust Center, and the EU Cloud Code of Conduct public register.