Data security has become one of the biggest concerns for any digital company. In an environment where information breaches can cost reputation, customers, and sanctions, the question is inevitable: can HubSpot be hacked?
As a leading CRM platform, HubSpot manages key marketing, sales, and customer service information. That’s why it has invested in building a secure ecosystem and offering specific tools to protect its most sensitive data — such as the new Sensitive Data Tools.
In this article, we explain how this additional security layer works and what you should keep in mind to comply with European regulations (GDPR).
Has HubSpot ever been hacked?
Although HubSpot is a robust platform, it is not entirely free of risk. In 2024, HubSpot reported a limited unauthorized access attempt that affected a small number of accounts. The incident was quickly resolved, and no significant data loss was recorded.
The key question is not whether something can be attacked — since no system is 100% invulnerable — but how the organization responds when it happens. In this regard, HubSpot demonstrated a fast, transparent response and a clear commitment to strengthening customer trust.
HubSpot security philosophy: "Secure by design"
HubSpot follows an approach known as defense in depth. This means it doesn’t rely on a single layer of protection, but on multiple coordinated defenses, including:
-
Advanced encryption: Data is protected both in transit (TLS 1.2/1.3) and at rest (AES-256).
-
Regular penetration testing: Internal and external teams proactively look for vulnerabilities before cybercriminals can exploit them.
-
Granular access and permission controls: Only authorized users can access sensitive information.
-
Certifications and compliance: HubSpot maintains SOC 2 and SOC 3 reports, independent audits, and a Trust Center that publishes all its security and privacy policies.
This “secure by design” philosophy makes HubSpot a highly reliable platform — provided users maintain good internal security practices (two-factor authentication, permission control, strong passwords, etc.).
What are HubSpot´s sensitive data tools?
The Sensitive Data Tools are a major evolution within the HubSpot ecosystem. They are designed for companies that need to store or manage particularly delicate information, such as personal identifiers, financial data, or even healthcare information.
Activation and management
-
Only Super Admins can activate the sensitive data mode.
-
Once activated, it cannot be deactivated, ensuring consistency and compliance.
-
Activation requires accepting specific terms of use and, in some cases, additional agreements like the BAA (for HIPAA-covered environments).
Types of sensitive data
HubSpot classifies information into two levels:
-
Sensitive Data: Personal or customer identifiers.
-
Highly Sensitive Data: Information requiring greater protection, such as tax identification numbers or health-related data.
Source: HubSpot
Values marked as Highly Sensitive can only be viewed under certain conditions, are encrypted individually, and have restricted use in automations or content personalization.
Technical limitations (for security)
To prevent leaks, HubSpot blocks the use of sensitive properties in contexts that could expose data without control — for example:
-
Personalization tokens in emails or chatbots.
-
Integrations with tools that don’t meet equivalent security standards.
-
Automatic previews in notifications or internal workflows.
In short, the system prioritizes protection, even if that means limiting certain functionalities.
So... can HubSpot be hacked if you handle sensitive data?
In theory, any system connected to the internet carries some risk.
However, with the Sensitive Data Tools, that risk is minimized thanks to several security mechanisms:
Individual encryption per property
Each property marked as “Highly Sensitive” is encrypted individually, meaning each sensitive data point is isolated and encrypted separately.
This ensures that even if part of the system were compromised, critical information would remain protected from unauthorized access.
Strict role-based access control
HubSpot employs advanced role-based access management, allowing precise definition of who can access, view, or modify sensitive data.
Each role has tailored privileges that limit the scope of available actions, preventing inappropriate access both globally and at a granular level.
Detailed audit logs
Every action involving sensitive information is logged — including the user, timestamp, and type of access or modification.
This comprehensive traceability allows for quick detection of unusual behavior and facilitates both internal compliance checks and external audits.
Blocking the use of data in unsecured contexts
HubSpot automatically prevents sensitive data from being inserted or exposed in contexts that don’t meet required protection levels — for example, in personalization tokens, external integrations, or automated chatbot messages.
While these restrictions may require operational adjustments, they follow the principle of minimizing risk exposure and ensuring that the handling of sensitive data meets top-tier security and privacy standards.
GDPR compliance and best practices for european companies
If your company operates within the European Union or processes data belonging to EU citizens, you must ensure that your use of HubSpot complies with the General Data Protection Regulation (GDPR).
Key points to consider:
-
Signed DPA: HubSpot acts as a data processor and provides a Data Processing Agreement (DPA) via its Trust Center.
-
Data minimization: Retain only the data that is necessary and justified.
-
Explicit consent: Mandatory when processing sensitive data.
-
Right to be forgotten: HubSpot enables permanent data deletion through the GDPR delete feature.
-
Data location: EU customers can request that their data be stored in EU data centers.
-
Regular audits and reviews: Periodically review access, permissions, and activity logs.
-
Internal training: Educate your team on cybersecurity and responsible CRM usage.
HubSpot also offers tools like Security Health, which help assess each account’s security status and identify potential risks or misconfigurations.
Conclusion
To the question, “Can HubSpot be hacked?” — while it’s theoretically possible, in practice, HubSpot is one of the most secure CRM platforms on the market, provided it’s properly configured and managed.
The Sensitive Data Tools strengthen that security by providing a stricter framework for storing and processing critical information, fully aligned with GDPR and other international regulations.
The weakest point is rarely the software itself, but rather user configuration — compromised credentials, excessive permissions, or poorly secured third-party integrations.
That’s why it’s essential to regularly review your account’s security settings.
As a HubSpot Diamond Partner Agency, mbudo supports your company not only with the implementation of HubSpot CRM but also in the design of secure, compliant strategies, integrating privacy and protection from day one.
👉 Contact mbudo here for more information.
Ana Botija Loaísa
Ana is COO in mbudo. She has worked with multinational IT and Telco companies in the areas of Engineering, Business Development, and Marketing. Ana doesn't try to deny her past as an engineer, which helps her enjoy the most complicated challenges. She loves art history and travel.