Trust Center

We’re excited to announce an upgrade coming to HubSpot’s Trust Center!

On Monday, December 15, 2025, we will be launching an all-new HubSpot Trust Center experience. Our current URL: “trust.hubspot.com” will remain as our one-stop-shop for public information, gated access, and communications on HubSpot’s security and compliance posture, but with an improved browsing experience and new features that will make it easier to find the information you are looking for.

Actions Needed From You:

As a current HubSpot Trust Center subscriber, you will need to re-subscribe to our Trust Center again following the launch (after December 15, 2025) to continue receiving our updates and announcements.

You’ll also need to confirm your email address with our new Trust Center to gain access to our gated Trust Center content, such as our SOC 2 report. Customers with active subscriptions will be provisioned with full access to Trust Center content after confirming their email.

Trust Center subscribers who are not active HubSpot customers will need to complete HubSpot’s clickwrap NDA to un-gate all content, just like how the HubSpot Trust Center works today.

What’s Coming:

We’re excited to offer you easier access to our documentation, as well as an interactive knowledge base to answer our most commonly asked security and compliance questions. Keep a lookout for more features in the months ahead.

HubSpot is excited to announce that the 2025 Corporate Network Penetration Test report is now available for review in our Trust Center. This assessment focused on our corporate network’s external attack surface and all publicly accessible corporate network assets.

Additionally, we have published an updated version of the HubSpot Network Diagram that contains new, up-to-date information around our network architecture.

On December 3, 2025, a vulnerability was announced related to popular open-source web development frameworks React Server Components (CVE-2025-55182) and Next.js (CVE-2025-66478). These open-source resources are widely used across the internet to build user interfaces.

Is HubSpot Impacted?

HubSpot utilizes React Server Components and Next.js in a limited capacity primarily for internal tools and experimental product research. We have conducted a thorough review of our Product and Corporate environments to determine the full extent of possible exposure to affected versions of React and Next.js.

We have found no evidence to suggest any attempted exploitation of CVE-2025-55182 in our environments.

Actions Taken

We began patching procedures for vulnerable versions of React and Next.js immediately upon becoming aware of the vulnerability. Initial patches based on advisories were completed by December 3, 2025 at 5:14 PM EST.

As of December 4, 2025 at 1:00 PM EST, all vulnerable React and Next.js versions within HubSpot’s production environment were fully patched.

Additionally, HubSpot’s product platform and public APIs are protected behind our Web Application Firewall (WAF). A new ruleset to specifically protect against this vulnerability was fully implemented into our WAF on December 3, 2025 by 5:00 PM EST. All instances of the HubSpot product, as well as HubSpot’s own marketing pages, are fully protected behind our WAF.
HubSpot is also monitoring any potential impact to our third-party vendors.

Next Steps

There is no action needed for HubSpot customers to protect their HubSpot accounts or data. However, customers using React Server Components and/or Next.js in their own environments are strongly encouraged to update to the latest patched versions.

We will continue to monitor the situation and will post any additional updates to the Trust Center as needed.

November 24, 2025 Update:

Based on our investigation into Gainsight integration activity along with published indicators of compromise (IOCs), we have found no evidence to suggest that HubSpot or our customers were impacted.

The Gainsight integration will remain deactivated from the HubSpot app marketplace until Gainsight fully concludes their investigation to ensure all systems are secure.

HubSpot will continue to follow Gainsight’s investigation updates, and customers should continue to visit Gainsight's status page and Salesforce's status page for updated information.

On November 19, Salesforce reported unauthorized activity in their Gainsight integration. Out of an abundance of caution, we have temporarily removed the app from the HubSpot Marketplace and disabled the integration for any HubSpot accounts where it was in use.

We are investigating any potential impact to the HubSpot integration. At this time, there is no evidence to suggest HubSpot or our customers are impacted. We will continue our investigation and have contacted Gainsight to understand the full scope of the incident.

No additional action is needed from HubSpot customers at this time. Customers who did not integrate Gainsight in their HubSpot accounts were not impacted.

For updates on this issue, customers can visit Gainsight’s status page. For Salesforce-related updates, please visit Salesforce's status page.

HubSpot will continue to monitor the situation and will provide updates in our Trust Center as necessary.

On September 11, HubSpot deactivated Drift's integration with HubSpot as a precautionary response to Salesloft's latest update.

We have not observed any unauthorized access via the Drift integration beyond what we have previously reported.

HubSpot will continue to monitor the situation and provide updates in our Trust Center as necessary.

As a reminder, customers who did not integrate Drift in their HubSpot accounts were not impacted. HubSpot notified impacted customers on September 9, 2025. If you have not received email notice, there is no evidence of impact to your account.

HubSpot Update on Salesloft Drift Security Incident

On August 26, HubSpot became aware of a security incident involving Drift, an AI chatbot tool by Salesloft. While HubSpot does not use Drift internally and was not directly impacted, we investigated Drift integrations in HubSpot customer portals and found evidence of unauthorized access to customer data via Drift Oauth tokens. HubSpot is also monitoring any potential impact to our third-party vendors. It is important to note that this issue did not stem from a vulnerability within the core HubSpot platform, but rather from a compromise of the Drift app connection.

What Happened?

In August 2025, Salesloft disclosed a security incident involving their Drift chatbot service. Threat actors obtained OAuth tokens used to integrate Drift with other platforms, such as CRMs. These tokens were used to access and exfiltrate data in Drift chatbot support cases between August 8 and August 18, 2025.

Although HubSpot is not a direct Salesloft/Drift customer, we took steps to understand how HubSpot and our customers might be impacted and began our investigation on August 26. In this initial investigation, we found no evidence that the OAuth tokens had been used maliciously by searching for known malicious indicators (also known as Indicators of Compromise or IOCs).

HubSpot Security continued to investigate. On September 5, we found evidence of unauthorized access to customer data via Drift OAuth tokens. This access occurred via a new set of IOCs. By Monday, September 8, HubSpot identified a subset of customer portals with Drift integrations that were impacted through unauthorized access to customer data via Drift’s OAuth tokens. On September 9, 2025, HubSpot notified all impacted customers.

Customers who did not integrate Drift in their HubSpot accounts were not impacted. Not every HubSpot customer who installed the Drift integration was impacted by this incident. If you have not received email notice, there is no evidence of impact to you and we are continuing to monitor the situation.

Actions Taken and Next Steps

HubSpot is investigating our customers’ Drift usage and our own third-party vendors to understand impact and next steps.

1. Starting on August 26, we reviewed logs based on Salesloft’s guidance, threat intelligence reports, and our own analysis. In our initial investigation, we found no evidence of the known IOCs.

2. Our team conducted threat hunting which yielded new, additional IOCs, and on Friday, September 5, 2025, HubSpot discovered evidence of unauthorized access to customer data via compromised Drift OAuth tokens on August 28. We have shared these new IOCs below for your review.

3. We have notified impacted customers and have shared steps they can take to review information that was likely exposed.

4. We have been in communication with Salesloft while they have secured their environment. On August 29, 2025, Salesloft rotated compromised Drift tokens for their HubSpot integration. This revoked any unauthorized access to HubSpot and Drift data. On September 6, 2025 Salesloft confirmed that the incident had been fully contained in their environment.

5. HubSpot has been in communication with our vendors to understand how HubSpot may have been impacted by this event. A small number of our vendors have confirmed that they were impacted, and that some HubSpot data was in-scope. We have conducted thorough investigations and at this time, we have found:

• no evidence of customer data being exposed through third party providers that support the product
• no evidence of any sensitive HubSpot data being exposed through our corporate supply chain.

We will continue monitoring our vendors.

With these actions we consider the incident closed, but we will continue to monitor the situation and provide updates in our Trust Center as necessary.

Our investigation revealed a number of new Indicators of Compromise which we’ve provided in the TXT file here: https://www.hubspot.com/hubfs/Security/2025-09-09-drift-iocs.txt. Our intelligence sources indicate these IPs are operated by Oculus Proxies.