TL;DR: Notion’s Email Leak Problem
Notion accidentally exposed the email addresses of everyone who had ever edited a public page — a significant privacy failure. The users hit hardest are enterprise teams, startups, and freelancers who use Notion for collaborative work.
The root cause was an API design issue: Notion’s backend was sending email data in responses even when it wasn’t needed to render the page. Anyone with knowledge of browser DevTools could silently harvest those emails.
The good news: Notion has patched this, and there are no confirmed reports of the data being weaponized.
The Proof
Security researchers found that loading any public Notion page and inspecting network traffic in DevTools revealed API responses containing the email addresses of every person who had ever edited that page.
The alarming part: these emails were never rendered on the page itself. They were just shipped in the API payload unnecessarily — which means anyone who can read a network request could scrape them silently.
This is a textbook API over-exposure problem. Data that doesn’t appear in the UI can still be leaked if it’s included in the response.
When Collaboration Becomes a Liability
Startups and small teams that use Notion for public documentation or knowledge bases are now rethinking their security posture.
Developers reported finding their coworkers’ emails exposed — particularly teams running public roadmaps or blogs on Notion. Several organizations have started evaluating migrations to other platforms as a result.
What makes this worse is that most users had no idea the leak was happening. It’s invisible on screen, but an attacker could use those harvested emails for social engineering or spear phishing immediately.
Notion’s Competitive Position
This puts Notion in a tough spot. It’s competing against Microsoft 365, Google Workspace, and Slack — all of which hold higher security standards. Large enterprises were already cautious; this incident gives them more reason to stay away.
The competitive damage is real. Rivals can now point to this as a concrete failure. If Notion doesn’t rebuild trust, it risks losing market share to Obsidian, Coda, or Microsoft Loop — all of which are gaining traction. Multiple organizations are now actively evaluating migrations.
Before vs. After the Fix
| Factor | Before Fix | After Fix |
|---|---|---|
| Email exposure | Visible to anyone | Hidden from public |
| Privacy control | None | New user settings |
| Phishing risk | Very high | Significantly reduced |
| Enterprise trust | Low | Recovering |
After the patch, email addresses no longer appear in public page API responses. Notion also added new privacy settings so users can control how much personal information is exposed when collaborating.
The notification system was also updated, giving admins finer control over visibility during collaboration. The response time was reasonable, but the trust damage will take longer to repair.
Real-World Impact
The hardest-hit use case is client-facing work. Many companies use Notion to build public knowledge bases or client manuals — and now every team member who ever touched those pages had their email exposed. Clients could misuse that data.
Large organizations sharing internal docs via public pages face the same problem: every employee who edited those documents had their email leaked. Expect spam and phishing follow-ups.
Remote teams using Notion as a central hub need to audit their entire workflow. Many have already switched to internal-only sharing as a temporary measure to stop further exposure.
Security Comparison with Competitors
| Factor | Notion | Google Workspace | Microsoft 365 |
|---|---|---|---|
| Email Privacy | Exposed editor emails | Hidden in public shares | Hidden in public shares |
| Public Sharing | Had email leak bug | Anonymous viewing | Anonymous viewing |
| Access Control | Basic permission | Advanced IAM | Enterprise security |
| Audit Logs | Limited tracking | Full audit trail | Complete audit system |
Compared to Google Workspace and Microsoft 365, Notion’s security posture is noticeably weaker. Both competitors have always hidden editor emails from public-facing shares by default.
Google and Microsoft ship enterprise-grade security from the start — full audit logs, advanced access control, compliance tooling. Notion has always prioritized ease of use over security depth.
For organizations that treat security as non-negotiable, alternatives deserve a serious look — or at minimum, restrict Notion to internal-only use.
Pros and Cons After the Incident
Pros
- +Notion acknowledged the issue and patched it quickly
- +Collaboration features remain fully functional
- +Still cost-competitive vs. alternatives
- +Simple interface remains a genuine advantage for small teams
Cons
- −Security credibility has taken a real hit
- −Large organizations may avoid it for sensitive data
- −Still lacks advanced enterprise security features
- −Audit and compliance capabilities remain thin
Straight talk: this incident is a forcing function for Notion to overhaul its security infrastructure. The fast response is a good signal, but it doesn’t close the capability gap.
For personal use or small teams handling non-sensitive work, this isn’t a dealbreaker. For organizations managing enterprise-grade data, hold off and watch whether security investment follows the patch.
Hidden Costs
Beyond subscription fees, a privacy leak like this can force organizations to invest in security audits, bring in external consultants, or fund a platform migration — none of which are cheap.
Teams that relied heavily on public pages need to rethink their sharing workflows entirely. Some may fall back to emailing files as a temporary workaround, killing the productivity gain Notion was supposed to provide.
The real cost isn’t just money — it’s the time to re-engineer processes and the ongoing risk from data that already leaked.
Made for
- Personal users or hobby projects with no sensitive data
- Small teams working with non-sensitive, general information
Think twice
- Companies that use public pages sparingly and have a contingency plan ready
Skip this one
- Organizations storing customer data or sensitive information — consider Obsidian or OneNote instead
If you’ve been sharing sensitive work through Notion public pages, stop. Email addresses that already leaked can’t be recalled.
For personal note-taking or small projects, it’s still usable — just be deliberate about what you make public. For startups or companies with sensitive data, now is a good time to evaluate alternatives seriously.
This isn’t just a technical issue — it’s a trust issue. Organizations that take data privacy seriously should at minimum audit their current Notion usage and consider migrating sensitive content elsewhere.
Key Lessons and the Path Forward
This incident demonstrates what happens when features are shipped without thinking through privacy implications. Exposing the email address of every contributor to a public page is exactly the kind of vulnerability that a privacy-by-design review would have caught.
Before sharing anything publicly, always audit your sharing settings. Choose collaboration tools with granular permission controls and a documented track record on security.
Tech companies in 2026 need to run privacy impact assessments before launching any new feature — personal data is not a detail. For developers: learn privacy-by-design principles and apply them from day one of the development cycle, not as an afterthought.