.png){kind=small}
.png)
HubSpot is auto-generating publicly accessible Google Drive files containing your most sensitive business data - and most companies have no idea it's happening.
Imagine a detailed breakdown of your company's revenue pipeline, deal data, sales performance, and marketing metrics sitting on the open internet - accessible to anyone who has the link. No login required, no permission needed: just a URL and a browser.
Well, this is happening right now. To hundreds of thousands of companies around the world, and they don't even know it yet. How? Through HubSpot's automated Executive Business Review reports.
Let's be clear: HubSpot is an exceptional CRM platform. It has earned its place as the backbone of sales and marketing operations for over 200,000 companies worldwide, and the Executive Business Review itself is a genuinely valuable feature - a thoughtful, automated summary designed to help customers get more out of the platform.
Which is exactly what makes this discovery so alarming. In auto-generating these reports, HubSpot has inadvertently created a significant security risk; one that exposes proprietary customer data to anyone with a link.
This appears to be an accidental oversight rather than intentional design, but at HubSpot's scale, the impact is enormous. We reached out to HubSpot for comment prior to publishing this article and received no response.
What is the HubSpot Executive Business Review?
HubSpot regularly sends its customers an Executive Business Review - an automated report designed to show companies exactly how they are leveraging the platform. It highlights wins, surfaces opportunities, and benchmarks performance across CRM, marketing, and sales activity.
It functions as a value-add touchpoint that demonstrates the tangible impact HubSpot delivers to customers, showcasing key revenue metrics and progress over time.
What's Actually Exposed
These aren't just generic summaries. The data inside these reports is specific, operational, and deeply confidential. Across the reports we examined, we found exposure of new contract and deal data, CRM records and contact activity, revenue pipeline breakdowns, sales team performance metrics, and marketing campaign analytics and conversion data.
It's genuinely useful content. It shows companies new contracts, CRM records, deal and pipeline data, sales figures, and marketing performance metrics. In short, it contains some of the most sensitive operational data a business produces - the kind of data you would never want outside your organization.
For most businesses, any one of these categories would be considered strictly internal. Combined, they represent a near-complete picture of a company's commercial operations - exactly the kind of intelligence a competitor, bad actor, or curious outsider would find enormously valuable.
And, it's all public.
HubSpot has approximately 288,706 paying customers across more than 135 countries. The company has shown rapid growth, adding roughly 40,000 net new customers over the course of 2025 and reported over $3.1 billion in revenue for the same period.
So, about 300,000 companies - from SMBs to mid-market to enterprise - have ALL of their sensitive, confidential sales, marketing, and GTM data exposed, online, for the entire world to see.
The Problem: Public by Default
The Executive Business Review links being auto-generated by HubSpot are creating publicly accessible Google Drive assets. Anyone with the link can view them - no authentication required.
When HubSpot generates and delivers these reports, it creates the document as a Google Drive file and sends the link to the customer via email. The intention is clear: give the customer easy access to their report. But the execution has a critical flaw - the file is set to public link sharing, meaning it is not restricted to the recipient or their organization.
Anyone who obtains that URL - whether through a forwarded email, an intercepted message, or simply stumbling upon it - can view your company's proprietary, confidential data. No credentials, no verification, no barrier whatsoever.
Why This Matters at Scale
HubSpot serves over 200,000 customers across more than 135 countries. It is the CRM backbone for thousands of mid-market and enterprise companies. If this report generation behavior is consistent across its customer base, the scope of this exposure is significant.
This isn't a one-off misconfiguration by a single customer. This is a systematic, automated behavior built into HubSpot's own reporting workflow. Companies are receiving these reports, trusting that HubSpot has handled the data appropriately, and remaining entirely unaware that their data is sitting on a public link.
How This Happens Without Anyone Noticing
The gap here is subtle but consequential. HubSpot emails these reports to its customers, which feels like a secure, direct communication. But the document itself lives in Google Drive - and the sharing settings on that Drive file are what determine who can actually access it.
Most recipients never think to check the sharing settings of a document they received from a trusted vendor. Why would they? The assumption is that a company of HubSpot's scale and security reputation would handle this correctly. That assumption turns out to be wrong.
How DoControl Found This, and Why We're Talking About It
Like we just mentioned, most recipients never think to check the sharing settings of a document they received from a trusted vendor. But, we are not ‘most recipients’ - we are a SaaS data security company - and this is exactly what we do.
At DoControl, our research team continuously monitors the SaaS landscape for exactly this type of risk. When our researchers identified this pattern in HubSpot's Executive Business Review workflow, we moved quickly to validate the findings and understand the full scope. We are committed to sharing these discoveries with our customers and with the broader industry - because data exposure at this scale affects everyone.
Responsible disclosure is core to how we operate. If we find it, we say something. The irony is not lost on us: even DoControl's own HubSpot-generated reports were subject to this exposure!
What You Should Do Right Now
Oversharing is one of the most pervasive and underestimated risks in SaaS environments today. This HubSpot finding is a textbook example of the problem that DoControl exists to solve.
If your organization uses HubSpot, take these steps immediately:
1) Audit your Google Drive for any files created by or shared from HubSpot.
2) Check the sharing settings on any Executive Business Review documents you have received.
3) Treat any publicly accessible file containing business data as a critical finding, regardless of whether you believe the link has been shared externally.
4) Ask your security team - or a SaaS security tool - to scan for public links across all third-party integrations, not just HubSpot. This problem is unlikely to be isolated.
5) Run an audit and a bulk remediation of all historically exposed data that Hubspot is pulling.
✅ DoControl surfaces your externally shared data, gives you insight into what third-party apps are over-permissioned, and lets you remediate it all - all through our FREE risk assessment ✅
The Bigger Picture
This discovery is a reminder of a broader, underestimated risk: the SaaS tools your organization trusts are constantly creating, sharing, and modifying files on your behalf.
Most of the time, those actions are invisible to your security team. And sometimes, as this case shows, they are creating public exposure of your most sensitive data without your knowledge or consent.
Oversharing, misconfigured third-party app access, and weak data access governance are the norm in organizations that have scaled their SaaS stack faster than their security controls.
Every connected application (like Hubspot or other CRM tools) introduces new access pathways. With every integration comes a new risk. Without visibility into those actions, you are effectively trusting third-party vendors to handle your data safely, and make data sharing decisions for you.
Organizations have no idea what data is exposed to the public, to apps, or to bad actors that intend to do harm. The first step is gaining visibility into what’s publicly exposed, then - you must take action and remediate.
The perimeter is no longer your network: it's every SaaS application your business has connected - and every file those applications touch. It's time to treat third-party SaaS behavior with the same scrutiny you apply to everything else in your security stack.
{{cta-1}}
