A Sarasota Law Firm Notion Audit: What We Found

The morning call

At 9:17 this morning a Sarasota employment law firm we support forwarded me a screenshot from Twitter. A researcher had demonstrated that a Notion API endpoint, the one that renders a "Share to web" page, also returned a JSON blob containing the email addresses of every staff member who had ever edited that page. Not the public content. The editor list. For every public Notion page in the world.

By 9:42 we were on the phone with the firm's managing partner. By 10:15 we had a list of every "Share to web" page in the firm's Notion workspace. By noon we had a decision: the firm was moving 80% of its Notion content into access-controlled alternatives, and rotating every public link that we couldn't take down fast enough.

Here's what we found and what we did, because the same steps apply to any small business using Notion the way law firms do, as a shared knowledge base with occasional client-facing pages.

The problem in concrete terms

Notion lets you do two things that quietly combine into a privacy issue:

1. Share to web, which makes a page readable without a login. This is useful. Lots of legitimate pages, a company careers page, a product announcement, a public RFP, use it. The share toggle is trivial to flip.

1. Editor attribution, which tracks who edited what. Also useful, that's how Notion's activity log works. The editor identities include email addresses for every internal staff member who has ever touched the page.

The issue was that a backend API endpoint used to render the shared page also returned the editor list. A public page, one meant to be read by anyone, exposed its editor roster to anyone who made a direct API call. Not through the UI. Not through normal browsing. Through a specific URL that any scraper could hit in a loop.

Notion patched the endpoint within hours. But the window during which the endpoint was exposed is measured in months, and the data that leaked is now on a handful of GitHub gists and at least two dark-web forums we monitor. Nothing Notion does going forward undoes the emails that are already out.

Why a law firm was the first call

Law firms have a specific vulnerability to this kind of leak. Their staff emails are on their website (partners), in court filings (paralegals), and on sign-out sheets at county clerks' offices (investigators). But the mapping of which staff member edits which client matter is usually private, because the client matter itself is privileged.

Our firm uses Notion for three overlapping purposes:

• Public-facing pages: practice-area descriptions, attorney bios, the "careers" page
• Client-facing intake pages: a shared page per client with a questionnaire they fill in
• Internal case notes: privileged, never shared

The leak meant that anyone who scraped the Notion "shared" endpoints could build a map of which paralegals and associates had touched which client-facing page. If any of those pages were accidentally "shared to web" by a staff member who didn't know the difference between "share with client" and "share to web," the correlation between attorney and client matter could have leaked. For a firm that handles employment disputes, that mapping is worth serious money to the wrong people.

What the audit actually looked like

We booked a conference room and two hours. Managing partner, office administrator, two of us from Simple IT SRQ. The plan was:

Step 1: enumerate every Share-to-web page. Notion doesn't give you a "list all public pages" button. We used the Notion API with the firm's integration token to walk the entire page tree and flag every page with the "public" flag set. This took 14 minutes.

Step 2: classify each one. Each page fell into one of four buckets:

• Legitimate public content (bios, careers, the firm's intake form's landing), keep public
• Pages that should have been shared-with-email only (client questionnaires, case summaries), convert to logged-in access
• Pages shared publicly because the staff member didn't realize there was a difference, unshare immediately
• Orphaned pages from former staff members or old matters, archive

The firm had 47 public pages when we started. After classification: 8 legitimate, 11 should-be-restricted, 23 should-be-unshared, 5 orphans. The ratio is pretty typical.

Step 3: for every restricted page, move the content. This is the annoying part. Some content we migrated to the firm's Microsoft 365 SharePoint site (where access is tied to Active Directory groups and behaves properly for law-firm privilege tracking). Other content we moved to Clio (the firm's case-management system, which has proper matter-by-matter access controls). A few pages were deleted because they were drafts nobody had touched in over a year.

This took most of the two hours. But it's work the firm will never have to do again.

Step 4: disable the "share to web" capability for everyone except the admin. Notion lets the workspace admin restrict who can toggle "share to web." We enabled that restriction. Going forward, a staff member who wants to share a page externally has to ask the admin, who has a one-question checklist: "is this content safe to have indexed by Google and scraped by threat actors?"

Step 5: rotate anything that leaked. A few of the public pages had contact forms, email addresses, and one had a Calendly link. Nothing PII-grade, but we replaced the Calendly link (new URL, old one deprecated) so that anyone who scraped the old page can't correlate it to bookings going forward.

Step 6: notify anyone who might be affected. The firm's IT policy says breach-adjacent events get reported up. We drafted a short internal note ("here's what happened, here's what we did") and a shorter client-facing note for the five client matters where a previously-public page had contained the client's name. Florida FIPA requires 30-day notification on breaches of personal information; these weren't "breaches" under the legal definition (no SSN or financial data), but the firm sent the notices anyway. Lawyers are like that.

What a non-law-firm should do

If your business doesn't handle privileged information but does use Notion, the audit is easier but the same in shape:

1. List every public page. Use the Notion API + your integration token, or if you don't have one, walk the workspace manually. In a small office this takes under an hour.

1. For each page, ask: is the editor list safe to be indexed? Most public pages are a careers page or product announcement where the editors are already public (marketing lead, COO). Those are fine. The ones where the editors include a paralegal, a billing specialist, or a medical assistant are the ones to restrict.

1. Disable "share to web" for everyone except the admin. This is the setting change with the highest uses-to-friction ratio in the whole audit. Do it by end of day.

1. If your staff has been using Notion for client-facing work, seriously consider a migration. Notion is built to be a wiki, not an access-controlled client portal. Clio, Lawmatics, HubSpot, or a password-gated Microsoft 365 SharePoint site are all better-suited for anything client-facing. Notion stays for internal docs.

1. Rotate anything the leak could have compromised. If your firm used public Notion pages to collect forms, embedded booking tools, or published email addresses, rotate every one of those surfaces.

The tools we're recommending more of this quarter

Independent of the Notion story, here's what we're installing or recommending more frequently this quarter. Every one of these is something that would have made this morning's cleanup faster:

• A YubiKey 5C NFC for every admin account. If the Notion admin account had been phished two months ago, the whole audit would have started from a worse place. Hardware keys are the cheapest major risk reduction in SaaS security right now, about $55 each.
• A two bay Synology NAS for the archive copy of critical docs. The law firm had their case files mirrored to Synology, which meant nothing in the Notion audit was existential. For about $400 + two 4 TB drives, every small office should have this.
• A fireproof, waterproof document bag ($30 on Amazon) for the paper copy of the office's emergency runbook. The firm keeps theirs in their records room; we hand it to clients on day one.

The one-page audit sheet

For every business using Notion, the audit we ran today distilled into a single-page checklist:

1. ☐ List every page in the workspace where "Share to web" is enabled
2. ☐ Classify each: legitimate-public / should-restrict / should-unshare / orphan
3. ☐ Migrate should-restrict content to an access-controlled tool (SharePoint, Clio, Google Drive with link restrictions, etc.)
4. ☐ Unshare the should-unshare pages
5. ☐ Archive or delete the orphans
6. ☐ Restrict "share to web" toggle to workspace admins only
7. ☐ Rotate any embedded links, booking URLs, or forms that were on a public page
8. ☐ Notify clients whose matter-names appeared on previously-public pages
9. ☐ Document the audit in your own compliance log (date, who, what was found, what was fixed)

Two hours for a 14-person firm. Half a day for a 40-person firm. The audit is annoying. The alternative is finding out from a Twitter researcher what's been scrape-able from your Notion for the last six months.

The policy this is all part of

All of the above - the Notion audit, SaaS inventory, and vendor-breach response - should become a small office checklist your staff can actually run. We can help build that during a fixed-fee IT review.

---

If your Sarasota, Bradenton, or Venice business uses Notion for anything client-facing and wants a set of outside eyes on the public-page list, reach out. We'll spend 45 minutes walking through your workspace with you on a screen share. No charge. Just hand us the integration token and we'll produce the list.

If you'd rather run the vendor piece yourself, start with a plain list of every SaaS tool, owner, login method, billing owner, and whether MFA is enforced.

---

Product links are Amazon affiliate links.

Related reading

• LinkedIn Is Fingerprinting Your Browser. Heres What to Do.
• HIPAA and Legal Compliance Start at the Shredder - Heres What to Buy
• Two SaaS Vendors Had a Bad Day — Here's the 30-Minute Check Every Small Business Should Run