Openly published Notion pages can expose usernames, profile pictures, and email addresses of their editors through accessible metadata. The exposure does not respond to a specific incident, but to the platform's current design itself.
Personal information remains visible on open pages
The research conducted on this system concludes that, when a page is shared publicly, certain identification data of the people who have edited it may be exposed. Among them are the username, profile picture, and associated email.
The scope of the problem lies in that it is not an isolated error nor a temporary technical failure, but rather a behavior linked to how Notion manages that open publication and the metadata linked to it.
Without visible warnings in the publication process
The researchers have also found that warnings about this possible data exposure do not appear in the platform's publishing interface. That implies that a user can make a page public without receiving a clear warning about what personal information could become accessible.
That point reinforces the concern about the transparency of the system, as the open publication of content can affect not only the document itself, but also the digital identity of whoever has edited it.
Notion studies changes in its public API
Notion spokesperson, Max Schoening, has acknowledged that the current behavior is unacceptable. The company is now studying several measures to correct it, among them eliminating personally identifiable information from public API responses or implementing an email masking system.
The review remains open and points to changes in the way the platform exposes data associated with publicly shared pages, with the objective of limiting the visibility of personal information of the editors.