Your Public Notion Pages Are Quietly Leaking Everyone 's Emails

I Already Burned Myself on This

Last year I put a collaboration proposal on Notion and sent three potential clients a "view-only link" to review it. I thought I was just sharing text. Then someone told me their email addresses could be pulled out with a tool — just because they'd clicked the link. My stomach dropped. The clients didn't say anything, but I couldn't let it go: they trusted you enough to open the link, and you accidentally handed their email addresses to anyone who knew where to look .

This issue recently resurfaced in overseas tech communities. Someone built a dedicated tool to demonstrate it: take any publicly accessible Notion page and you can extract the email addresses of every account that ever edited it. It's not some elite h acking operation — a regular person following a tutorial can do it in minutes .

What's Actually Happening, and Who Gets Burned Most

Here 's the plain version: when Notion generates a public page, it bundles " contributor info" into the page data — and that includes email addresses. You think you're sharing "content." You're actually also sharing " who edited this."

Xiaoyu (小鱼), a freelance designer in Shenzhen, told me she routinely uses Notion for project proposals and sends clients a direct link — convenient, polished, low-friction. She had no idea that once a client has that link, anyone who knows the trick can grab both her email and the client's. Nobody's necessarily targeting you specifically, but the exposure is real whether or not anyone's looking.

The highest-risk scenarios: a public Notion personal homepage, proposal or quote pages sent to clients, shared resource libraries that multiple people have edited before going public.

You Can Check Everything in 5 Minutes Today — Completely Free

Cost: $0.
Time: Under 5 minutes.
Technical barrier: If you can click a mouse, you're qualified. No code involved.
First step : Open Notion, hit the "Share" button in the top-right corner, and check whether "Anyone with the link" is switched on.

Checklist:

• If the page is a proposal meant for one specific client — turn off the public link, switch to "Invite by email" instead.
• If you have a public-facing homepage or portfolio — consider pulling back " Edit" access for outsiders, leaving only "View" for them and keeping Edit for yourself alone.
• For old links you've already sent out — go into Share settings, turn off public access, and those old links die automatically.

I just went back through all my own public pages while writing this and found two that still had permissions open wider than they needed to be. Closed them. No big drama — just shutting doors that should've been shut .

Where You Are Shapes What I'd Do

If you're just getting started with no steady clients yet : No need to panic, but start the habit now — before you share anything via Notion, take one glance at Share settings and confirm you haven't opened it wider than necessary. Building that habit early saves you head aches later.

If you already have one or two active clients: I'd go check the Notion links you've sent them today. Not because something has definitely gone wrong — just to confirm and put your mind at rest. Client relationships take real work to build, and the small details are worth treating seriously.

If you're scaling up and starting to collaborate with a team: This is where things get messy fastest — more people, more pages, permissions all over the place. Worth blocking out 30 minutes to go through every extern ally shared page, tighten permissions consistently, and align with your team on one simple rule: always check the Share button before sending anything out. The tool itself is fine. It 's just about building the right habit around it.

Not everyone needs to drop everything and handle this right now — but if you happen to be sharing something on Notion today, five minutes to check is genuinely worth it.