Notion's Public Pages: Understanding the Email Leak
When a privacy issue like the Notion email leak is labeled an "intended feature," it indicates a serious problem. Since at least 2020, users have reported that publishing a page to the web exposes the email addresses of *all* editors within its public metadata. Notion's official response: "Working as designed."
This isn't the first time a design choice has led to uncommunicated privacy implications. User discussions on platforms like Reddit and Twitter reveal strong criticism, viewing it as a straightforward issue with significant privacy ramifications. This isn't a recent discovery; reports to Notion, documented in various online forums and support threads, date back to at least 2020, highlighting the persistent nature of this Notion email leak.
Let's dive into how this exposure happens and what you can do about it.
Unpacking Notion's Public Page Metadata: How the Notion Email Leak Happens
When a Notion page is published to the web, the platform generates an HTML document. This document contains not only the visible content but also various metadata fields. The issue arises when Notion includes contributor information within these fields.
The process unfolds in several steps:
Page Edit: Any user with edit access to a Notion page contributes to its revision history.
Page Publication: When "Share to web" is selected, a public URL is generated.
Metadata Embedding: The resulting public HTML then includes <meta> tags or JavaScript objects containing editor details, such as names, profile photos, and email addresses.
Network Payload: Further inspection of network requests reveals JSON payloads with even more granular user data, including email addresses, for all past editors.
Crucially, this isn't a complex exploit. It is a direct consequence of how Notion structures data for public pages. This data is readily visible in a browser's developer tools, either by inspecting the page source (e.g., within the HTML <head> section) or by examining relevant API responses in the network requests. This Notion email leak is a confidentiality issue by design.
<figcaption>Developer console showing email in Notion page metadata.</figcaption>
The Practical Impact of the Notion Email Leak: Why This Matters
If you have edited any Notion page that has been made public, your email address is likely exposed. This applies not just to the current page owner, but to *any* editor. This type of metadata exposure aligns with common data leakage vectors, which attackers frequently leverage for reconnaissance, specifically mapping to MITRE ATT&CK T1589.002 - Gather Victim Identity Information: Email Addresses.
Spam Risk: Automated bots can easily scrape these public pages, adding exposed email addresses to spam lists, exacerbated by the Notion email leak.
Targeted Phishing: An attacker, knowing an email address and Notion usage, can craft more convincing phishing attempts, impersonating Notion or a collaborator.
Credential Stuffing: While Notion likely employs rate limiting, a collection of valid email addresses provides a starting point for credential stuffing or brute-force attacks against other services where users might reuse passwords.
Data Minimization Failure: Beyond direct attacks, this practice violates the principle of data minimization. Users do not expect their work or personal email to be publicly discoverable simply by contributing to a shared document, making this Notion email leak a significant concern.
User feedback on platforms like Reddit and Twitter indicates a clear expectation mismatch. Despite user expectations for privacy, Notion's design exposes personal identifiers. Notion's continued classification of this as 'intended behavior,' despite awareness since 2020, highlights a significant disconnect between their design philosophy and user privacy expectations regarding this Notion email leak.
Notion Email Leak: What's Being Done, and What Should Change
Notion officially considers this an intended feature, meaning no 'fix' is planned. They primarily advise users to be aware of what they publish. This approach, however, fails to address the underlying design flaw.
Notion needs to re-evaluate this 'intended feature'. A design choice that consistently generates user privacy concerns requires more than a policy statement; 'intended' does not equate to 'secure' or 'appropriate.' Granular control over metadata exposure is crucial. This would involve options such as a toggle to 'hide editor details' or 'anonymize contributors' for public pages. Furthermore, if this behavior is to persist, clear and prominent communication *before* publication is necessary, rather than relying on obscure support documentation.
But what can users do right now? To mitigate this immediate exposure, users should first conduct a thorough audit of any Notion pages published to the web. This involves utilizing browser developer tools to inspect the page source (HTML) for `@` symbols or common email domains, and diligently examining the 'Network' tab for JSON responses that may contain user data.
For pages that *must* remain public, a strategic approach involves duplicating the content and then severely limiting the number of editors on the public version to an absolute minimum. For highly sensitive public-facing content, a more robust compartmentalization strategy would be to use a dedicated Notion account with an alias email address, thereby limiting the exposure of primary personal or professional contact information. Finally, continued and consistent reporting to Notion support remains crucial; collective user feedback is historically the most effective mechanism to drive necessary product changes and challenge 'intended feature' classifications.
This isn't a complex zero-day vulnerability. It is a direct consequence of a design decision that prioritizes internal data structuring over user privacy. The default public discoverability of personal data represents a significant design flaw, not a feature. Notion's continued classification of this behavior as an 'intended feature' demonstrates a divergence from contemporary privacy-by-design principles, which increasingly prioritize user data protection by default, making the Notion email leak a critical point of contention.
