My phone rang this week. A UK cell number I didn’t recognize. Normally I’d let it go to voicemail, which is where unrecognized numbers go to die. This time I answered.
It was HubSpot. A rep with an Irish accent, presumably calling from Dublin, ringing around to pitch the company’s new prospecting features. A cold call, in other words, from my CRM vendor, about a tool that helps me make cold calls. There’s something almost poetic about it.
I asked how they’d come to call me specifically. The rep’s answer was disarmingly honest:
“We’re ringing around the super admins.”
I sat with that for a moment. My company spends a serious amount of money with HubSpot every year. And here was a sales rep who didn’t seem to know I was an existing administrator on an existing account, but who did know, precisely, that I held the keys to it.
Normal Is Not the Same as Wise
Let me be fair to HubSpot, because fairness matters even when you’re mildly irritated. It is entirely normal for a SaaS vendor to know who holds which roles on their own platform. Your user list lives in their systems. Their account teams can see it. Salesforce can see yours. Microsoft can see yours. This is how the industry works, and nobody signed anything that says otherwise.
But normal and wise are different things. And handing that role data to an outbound sales team, so they can work through the super admin list like a phone book, sits somewhere between the two. I should note this rests on what one rep told me on one call; I’ve asked HubSpot whether it’s standard practice, and I’ll update this piece if they respond.
Here’s why it bothered me. Super admins are the single highest-value social engineering target on any SaaS account. They can change permissions, export data, connect integrations, and reset everyone else’s access. Fraudsters know this. It’s why “urgent call from your software vendor’s support team” is a phishing classic.
So when a vendor cold-calls its super admins from unrecognized cell numbers, it does something subtle and unhelpful. It trains those admins to answer unexpected calls from people claiming to be from HubSpot. It normalizes the exact attack pattern a fraudster would use. The next caller with a friendly accent and a working knowledge of my account might not be from Dublin at all.
Full disclosure: I can’t actually prove the caller was from HubSpot. There was no verified number, no email beforehand, no way to check. I inferred it from the accent, the pitch, and the fact they knew my role.
I believed them. That, rather neatly, is the problem.
I’m not suggesting HubSpot has leaked anything. I’m suggesting the company has quietly converted a piece of security-sensitive account information, namely who the privileged users are, into a sales targeting field. And I began to wonder how many other vendors do the same.
The Timing Is, Shall We Say, Unfortunate
You may recall that HubSpot has had an eventful month on the customer data front. As CX Today reported last week, the company updated its terms on July 1 so that enrichment data, including business contact details and employer information, could be shared across customer accounts and used for AI model training, with every account opted in by default. Customers revolted, loudly and mostly on LinkedIn. One 15-year customer announced she’d switched CRMs entirely. Four days later, HubSpot scrapped the plan, with Chief Product and Technology Officer Duncan Lennox admitting, “We made a mistake,” and promising that future enrichment features would be fully and transparently opt-in.
Here’s the detail that makes this week’s phone call so delicious. The shelved vision behind those terms changes had a name: “Trusted Prospecting.” An idea about outbound sales that would feel timely and useful rather than like spam. That concept is now on hold. The cold calls to super admins, evidently, are not.
HubSpot paused the product but kept the behavior.
The objection to the terms change was never really about AI. It was about consent, and about a vendor treating data that customers had built up themselves as a communal resource. HubSpot heard that message, loudly, and to its credit it reversed course fast.
Which makes it rather odd that, days after apologizing for one consent misstep, at least one of its reps was working through a customer admin list to pitch prospecting tools. The controversy and the cold call are not the same thing. But they share a family resemblance. In both cases, information customers reasonably assume is operational, held by the vendor to run the service, turns out to be fuel for the vendor’s own growth engine.
You get the sense that the lesson from the enrichment episode landed in legal and product, but hasn’t yet made it down to the dialer.
A Modest Proposal
I’m not asking HubSpot to stop selling. Selling is fine. I work in B2B media; I’m hardly in a position to object to commercial enthusiasm.
But three small things would help. First, check the account before you call. If I’m already an administrator spending real money with you, a cold pitch for a feature suggests you don’t know who I am, which is a strange look for a CRM company. Second, treat privileged user lists as security data, not sales data. Gate them. Third, if you must call admins, do it through channels they can verify: a scheduled call from a named account manager, not a surprise from a cell number.
None of this is dramatic. It’s just the boring discipline of treating customer trust as something you protect between crises, rather than something you apologize for after them.
The rep, for what it’s worth, was perfectly pleasant. That’s rather the problem. So is everyone who calls pretending to be them.
CX Today has asked HubSpot whether contacting customer super admins is standard outbound practice, and whether privileged role data is restricted from sales teams. We will update this piece with any response.