Leaked Notion integration secret — workspace data exfiltration

A Notion integration secret grants access to every page and database the integration was added to. Leakage = read (and possibly write) on every shared surface.

The next 60 seconds matter

The attacker enumerates pages/databases shared with the integration, reads content (often including secrets, meeting notes, customer data), and potentially modifies records if the integration has write access.

  • Read every page + database the integration is added to
  • Modify content if write-scope granted
  • Enumerate users whose properties appear in databases

Rotation playbook

  1. Notion → Settings & Members → Connections → (your integration) → Revoke
  2. Recreate the integration with tighter scope
  3. Manually re-add it to only the pages it genuinely needs

Prevent the next one

  • Never add an integration to the entire workspace — page-by-page
  • Prefer read-only integrations where possible
  • Rotate integration secrets quarterly
Pattern we scan for
secret_{43 chars} or ntn_{43 chars}