A newly exposed Notion data leak is raising serious privacy and security concerns for organizations using the platform for public documentation.
Security researchers have discovered that public Notion pages can silently expose personally identifiable information (PII)—including email addresses, full names, and profile photos—of anyone who has ever edited those pages.
This isn’t a traditional breach involving hackers breaking in. Instead, it’s a design-level exposure that allows attackers and OSINT researchers to extract sensitive user data without authentication.
For security teams, this creates a dangerous scenario:
your organization’s public knowledge base could be leaking employee contact data right now.
In this article, you’ll learn:
- How the Notion data exposure works
- Why it’s a serious security risk
- Real-world implications for organizations
- Immediate steps to reduce exposure
What Is the Notion Data Leak?
The Core Issue
The vulnerability stems from how Notion handles public page data and user identifiers.
When a page is published:
- Editor UUIDs (Universally Unique Identifiers) are embedded in the page
- These identifiers are accessible without authentication
How Attackers Extract User Data
The process is surprisingly simple:
- Scrape Public Notion Page
- Extract embedded UUIDs from page data
- Query Internal API
- Send UUIDs to: /api/v3/syncRecordValuesMain
- Retrieve Full User Profiles
- Names
- Email addresses
- Profile photos
⚠️ No login, session, or token required.
Why This Vulnerability Is Critical
1. Silent Exposure of PII
Organizations may unknowingly expose:
- Employee emails
- Contributor identities
- Internal team structures
2. Massive OSINT Opportunity
Attackers can:
- Map entire organizations
- Identify key personnel
- Build targeted attack lists
3. Phishing and Social Engineering Risk
Exposed data enables:
- Highly targeted phishing campaigns
- Business email compromise (BEC)
- Credential harvesting attacks
Real-World Impact
Public Workspaces at Risk
Any publicly shared Notion page—such as:
- Company documentation
- Product roadmaps
- Open-source project boards
may expose:
- Every editor’s identity
- Their contact information
Longstanding Issue
- First reported: July 2022 (HackerOne)
- Initially classified as “informational”
- No structural fix implemented
The issue resurfaced in 2026, triggering widespread backlash from:
- Developers
- Security researchers
- Enterprise customers
Why This Is a Design Flaw (Not Just a Bug)
Architectural Weakness
The problem lies in:
- Lack of access control on internal API endpoints
- Exposure of UUIDs in public content
- Direct mapping between identifiers and user profiles
Security Misclassification
Treating this as “informational” ignored:
- Data sensitivity
- Abuse potential
- Scale of exposure
Common Misconceptions
“Public Pages Only Show What We Intend”
Not true.
Hidden metadata can expose far more than visible content.
“UUIDs Are Safe to Expose”
Incorrect.
UUIDs become dangerous when they:
- Map directly to user data
- Are queryable via unsecured APIs
“No Authentication Means Low Risk”
False.
Unauthenticated endpoints are ideal for automated scraping attacks.
Notion’s Response and Planned Fixes
Following public backlash, Notion acknowledged the issue and is working on:
Proposed Solutions
- Removing PII from public API responses
- Implementing email proxy systems
- Improving user warnings during publishing
Current State
- No complete fix deployed yet
- Exposure may still exist
- Data may already be indexed by search engines and scraping tools
Immediate Mitigation Steps for Organizations
1. Audit Public Notion Pages
- Identify all publicly accessible pages
- Review contributors and editors
2. Remove Sensitive Contributors
- Limit editing access
- Use anonymized or generic accounts where possible
3. Avoid Using Real Emails in Public Workspaces
- Use role-based accounts
- Mask personal identifiers
4. Monitor for Data Exposure
- Check if employee emails are indexed online
- Use OSINT tools to assess exposure
5. Apply Zero Trust to SaaS Platforms
- Treat public SaaS content as exposed infrastructure
- Validate what metadata is shared
Detection and Threat Monitoring
Indicators of Risk
- Public Notion pages with multiple contributors
- UUIDs visible in page source
- API calls to Notion endpoints from unknown sources
Security Controls
- Monitor unusual scraping activity
- Track phishing attempts targeting employees
- Implement email security filtering
Security Framework Alignment
NIST Cybersecurity Framework
- Identify: Public SaaS data exposure
- Protect: Limit PII sharing
- Detect: Monitor unauthorized access patterns
- Respond: Remove exposed data
- Recover: Strengthen data governance
MITRE ATT&CK Mapping
- T1589 – Gather Victim Identity Information
- T1591 – Gather Victim Organization Information
- T1566 – Phishing
- T1595 – Active Scanning
Risk Impact Analysis
| Risk Category | Impact Level | Description |
|---|---|---|
| PII Exposure | High | Emails and identities leaked |
| Phishing Attacks | Critical | Targeted social engineering |
| Data Scraping | High | Automated harvesting |
| Reputation Damage | High | Loss of trust |
Expert Insights
- SaaS platforms are increasingly becoming unintentional data exposure points
- Metadata leaks are often more dangerous than visible content
- Organizations must treat public collaboration tools as external attack surfaces
FAQs
1. What is the Notion data leak?
It is a vulnerability where public Notion pages expose user PII through accessible internal APIs.
2. What data is exposed?
Full names, email addresses, and profile photos of page editors.
3. Does this require hacking skills?
No. The data can be accessed without authentication.
4. Why is this dangerous?
It enables targeted phishing and social engineering attacks.
5. Has Notion fixed the issue?
Not fully. A long-term fix is currently in development.
6. How can organizations protect themselves?
By auditing public pages, limiting PII exposure, and monitoring for abuse.
Conclusion
The Notion data leak highlights a critical lesson in modern cybersecurity:
Exposure doesn’t always come from breaches—it often comes from design decisions.
Key takeaways:
- Public SaaS content can leak hidden metadata
- PII exposure fuels targeted cyberattacks
- Organizations must audit and control public data visibility
As collaboration tools become central to business operations, security teams must:
- Treat them as part of the attack surface
- Continuously monitor for data exposure
- Apply strict data governance policies
Next step: Audit your public Notion pages today—before attackers map your organization for you.
