Notion allegedly leaking editors’ email addresses from every public page

What happened

It has been reported that a security researcher using the Twitter handle @weezerOSINT discovered every public Notion page appears to leak the full names, email addresses and profile photos of everyone who edited it. Allegedly there is zero authentication required — no cookies, no tokens — and one POST request returns a list of editors. The claim, first aired on Twitter and picked up in Hacker News threads, paints a picture of a simple query turning public pages into an address book.

Why this matters

Think company wiki, onboarding docs, public project pages — anything set to “public” could be quietly exposing staff contact details. That’s a jackpot for spammers and phishers, and a useful foothold for targeted social‑engineering or doxxing. Privacy and trust are on the line. Who imagined a collaboration tool could also be handing out staff emails like party favors? This fits a broader pattern this year: misconfigurations and API quirks continuing to turn everyday tools into security headaches.

What to do (and what’s next)

As of this report, Notion has not publicly confirmed the issue. It has been reported that defenders should immediately audit any pages shared publicly and tighten sharing settings where feasible. Disable public access for internal wikis, limit editor lists, and warn employees to be extra vigilant for phishing. Organizations should contact Notion support and their security teams to escalate. Short term: close the hole. Long term: expect more scrutiny of collaboration platforms — and some awkward questions at product security reviews.

Sources: twitter.com/weezerosint, Hacker News