Notion leaks email addresses of all editors of any public page
TL;DR Highlight
Notion exposed editor names, photos, and emails via page metadata for five years.
Who Should Read
Developers or IT administrators at companies using Notion for team collaboration and operating public pages, or where employees contribute to editing. Teams prioritizing security should immediately verify for email address exposure due to potential spam, phishing, and OSINT attacks.
Core Mechanics
- When a Notion page is published to the web, the names, profile pictures, and email addresses of all editors are automatically included in the page's HTML metadata.
- This behavior was documented in Notion's official documentation (help/public-pages-and-web-publishing) as a small footnote, making it difficult for users to discover.
- A Notion employee named Max commented on Hacker News, admitting that while the issue is documented and a warning is displayed upon publishing, it is insufficient. They are considering removing PII from the public API endpoint or implementing an email proxy system like GitHub.
- The issue has reportedly existed for at least five years, with one Hacker News user sharing their experience of being deanonymized through their Notion public page five years ago.
- Notion clarified that a fix is not as simple as a 'one-minute change,' suggesting underlying data structure or API compatibility issues.
- Some argue this isn't a Notion-specific problem, but a fundamental limitation of architectures that centrally store user data. One user suggested storing data per user as a solution, but acknowledged challenges with group collaboration, offline access, and scraping prevention.
Evidence
- "Notion employee Max officially acknowledged the issue in a comment on Hacker News, stating that documentation and a warning are present but insufficient, and that they are exploring removing PII or implementing an email proxy. A Hacker News user shared a five-year-old experience of being deanonymized through a Notion public page, demonstrating the issue's longevity. Community discussion highlighted the discrepancy between the existing documentation and its discoverability, with most agreeing that a hidden notice is insufficient. A Notion employee refuted claims of a simple fix, hinting at underlying API or data structure complexities. Some users expressed disappointment with Notion's shift towards an 'AI all-in-one app,' criticizing the prioritization of features over security and privacy."
How to Apply
- If you currently operate Notion public pages, immediately inspect the HTML source or metadata to verify whether editors' email addresses are exposed. If found, temporarily make the page private or separate editors into dedicated workspaces.
- If Notion pages edited by company employees are publicly accessible, their company email addresses could be collected for spear phishing or spam attacks. Audit your public page list and revert any unnecessary public settings.
- If you are developing services using the Notion API or public pages, re-examine the user information fields in the API response and ensure your code does not expose this information. Monitor Notion's change logs for potential updates to the email proxy system.
Terminology
PIIPersonally Identifiable Information. Data that can be used to identify a specific individual, such as name, email, or phone number.
OSINTOpen Source Intelligence. The practice of collecting and analyzing publicly available information to gather intelligence about individuals or organizations.
email proxyA system that exposes an anonymized alias instead of a real email address. GitHub uses addresses like `@users.noreply.github.com` to protect user privacy.
deanonymizeTo reveal the identity of an anonymous person by combining publicly available information.
metadataData about data. In the context of webpages, information contained in HTML `<meta>` tags used for search engine previews and social media sharing, often invisible to the average user.