The security and privacy of our customers and their data has always been a top priority for us here at HubSpot. That said, security can often feel like a bit of a black box -- we know it’s there and that it’s important, but aren’t sure what’s actually happening behind the scenes to keep us safe. 

With that in mind, we’re sharing some of the security and usability improvements we’ve made to the HubSpot platform in 2019 to better protect our customers. 


Making security, privacy, and compliance the top priorities for the HubSpot product team

The biggest change we made this year wasn’t a product feature or fix -- it was a shift in how our product team prioritizes its work. This year, we introduced the concept of Mainsail. If you’re nautically savvy, you might recognize this term. We use it as a visual representation of how we prioritize our projects:


Think of this as a hierarchy of needs. Security, privacy, and compliance sit at the foundation, meaning that the team must prioritize those factors before all else. This new framework has helped us prioritize our work to focus first and foremost on making the HubSpot platform as secure as possible.


Stronger form spam protections

This year, we saw an increase in the number of spammers using forms to send junk email. They would include spammy content (think “You’ve won a free cruise! Click here to claim your prize!”) in fields like first name or last name, and use the email address of their intended recipient. If that form was set up to send a confirmation email including the first or last name,  the person would receive a confirmation email with the spam link somewhere in the email. 

We put some new protections in place to help combat this:

  1. A machine learning (ML) model that detects abnormal form submissions: We use a combination of ML and heuristics to determine if a submission appears spammy or not. We also manually review these submissions to determine if we’re making the right decisions to prevent false positives and improve our detection mechanisms in the future. 
  2. Quarantines for spammy contacts: This new protection prevents any emails from going out to these contacts, stopping the spammers in their tracks. We keep these contacts separate from the rest of the account's contact list so users can easily delete them.  
  3. Better validation of field contents: We’re actively working with our developer community to increase the quality of contacts no matter how they’re created (e.g., via API, etc). In the future, we’ll start rejecting field values when those fields have invalid contents. You can read more about this here.


Making sure the right people are logging into an account

If our automated systems determine a login attempt to be suspicious, we now require our users to validate that they have access to their email account before logging in. Users will log in to HubSpot and see a prompt that they've been sent a unique code to their registered email address. Once they enter that code, they’ll regain access to their account.

We’re also working on a beta feature that we hope will help keep users' accounts safe from password-based attacks. The tool securely checks a user's password when they log in, and determines if that user’s email and password have been seen in a previous public password breach. If we find that they have been exposed in a public breach, we'll alert the user and ask them to change their password. Stay tuned for more information here next year.


Increased notifications for security-sensitive events

We always want to make sure our customers know what’s going on in their portals. This year, we introduced new awareness notifications that fire when specific actions, like API key creation, password changes, or two-factor authentication configuration changes, are taken. We hope these notifications help our customers feel empowered to know what’s happening in their account and give them the opportunity to reach out to us quickly if they see something suspicious.


Simplified support for API key rotation

It’s been historically tricky to change the API key that’s being used by an integration. You need to know where the key is used, update configuration files, and update the integration. To help streamline some of those processes, we've simplified the user interface to turn API key changes into a single step within a HubSpot portal.


Expanded two-factor authentication adoption and single sign-on integration support

Two-factor authentication (2FA) is one of the best defenses customers can use to protect their accounts from bad actors. To help customers adopt this more widely, we made it possible for portal administrators to require that their users enable 2FA. If you don’t have 2FA set up and are interested in learning more, you can check out this article in our Knowledge Base.

For our enterprise customers, we also enabled administrators to require single sign-on (SSO). 


Want to learn more?

This is just a sample -- we’re making improvements every day -- and a huge testament to the great work of our security, engineering, and product teams. The ever-changing nature of security means that our work is never truly done, but with our new Mainsail priorities and strong groundwork, we’re well positioned to make sure we’re constantly evolving our approach. 

To learn more about how we’re working to protect our customers, please visit

Originally published Dec 11, 2019 9:00:00 AM, updated December 11 2019