If you’ve been trusting Notion with your team’s work and your email address, that trust just got stress-tested — and it didn’t hold up.
In 2026, Notion found itself at the center of a data exposure incident that leaked the email addresses of editors on public pages. Not just names. Email addresses. The kind of detail that turns a vague “someone might know who I am” concern into a very concrete “someone can now contact me directly” problem.
What Actually Happened
The vulnerability tied back to prompt injection — specifically, indirect prompt injection through Notion AI. The mechanics are worth understanding because they’re sneaky in a way that goes beyond a typical misconfigured database. Notion AI was processing document edits and, critically, saving those edits before a user had a chance to review or approve them. That’s not a minor UX quirk. That’s a window for malicious instructions embedded in a document to execute actions the user never sanctioned.
The exposed data included names and contact details. When you combine names, email addresses, phone numbers, and physical addresses — which is exactly the combination that reportedly surfaced — you’re not looking at abstract metadata. You’re looking at a profile complete enough for targeted phishing, social engineering, or worse. Anyone who has edited a public Notion page was potentially exposed without doing anything wrong themselves.
The Scale Makes This Worse
Notion isn’t a niche tool. The platform sits at 100 million users, with 4 million paying customers. Its client list reads like a Fortune 500 roll call — Amazon, Nike, Uber, Pixar. These aren’t hobbyist wikis. These are operational workspaces where real people, with real professional identities, are collaborating on real work.
When a platform at that scale has a vulnerability that exposes editor data on public pages, the blast radius is enormous. And the nature of public Notion pages makes this particularly uncomfortable — people share them freely, embed them in websites, link them in newsletters. The assumption has always been that making a page public exposes the content, not the people who built it.
Prompt Injection Is the Problem Nobody Wants to Talk About
The AI angle here deserves more attention than it’s getting. Prompt injection isn’t new as a concept, but its real-world consequences are starting to land in ways that are hard to ignore. When AI features are woven into productivity tools, they create new attack surfaces that didn’t exist before. A bad actor doesn’t need to breach a server directly — they can embed instructions inside a document that the AI then acts on, silently, before anyone reviews the output.
The specific issue with Notion AI was that edits were being saved before the user clicked OK. That single design decision — auto-saving AI-generated changes — removed the one human checkpoint that might have caught something suspicious. It’s a small thing that opened a large door.
This is the part that should make every product team building AI features uncomfortable. The convenience features — auto-save, background processing, proactive suggestions — are exactly the features that create exposure when prompt injection is in play. Speed and safety are pulling in opposite directions, and right now speed is winning.
What This Means for Anyone Using Notion
If you’ve edited a public Notion page, your email address may have been exposed. That’s the short version. The longer version involves thinking carefully about a few things:
- Any public page you’ve contributed to is a potential source of exposure, not just pages you own.
- The combination of name plus email plus additional contact details is enough for convincing targeted attacks.
- AI-assisted tools that process documents in the background deserve the same scrutiny you’d give any third-party data processor.
Notion has 100 million users who largely trust it as a safe place to think out loud and collaborate. That trust is built on an assumption of reasonable data hygiene. This incident challenges that assumption in a specific and uncomfortable way — not because someone hacked a database, but because a feature designed to help ended up being used to extract.
The Bigger Picture
This isn’t just a Notion story. It’s an early signal of what happens when AI capabilities get shipped faster than the security model around them matures. Every tool adding AI features right now is making similar tradeoffs — background processing, auto-execution, reduced friction. Each of those tradeoffs is also a potential vulnerability waiting for someone creative enough to find it.
Notion is a solid product with a real user base that deserves better than finding out their contact details were up for grabs. The fix isn’t to abandon AI features — it’s to build them with the assumption that someone will try to abuse them, because someone always does.
🕒 Published: