-
A hacker posted on a dark web forum claiming they have a Notion database with over 110 million user records for sale.
-
The alleged dataset contains information such as user email addresses, password hashes, IP addresses, workspaces, as well as subscription details.
-
There has been no evidence found by security experts of the information being leaked by Notion, and the company itself does not report about the breach.
A threat actor has placed what they claim is a Notion user database up for sale. The listing says it contains more than 110 million records.
The seller offers a wide range of account information in the alleged dataset. However, cybersecurity researchers have not confirmed the breach actually happened.
What the Seller Claims to Have Stolen
According to the online listing, the database includes extensive user account details. The seller says it contains email addresses, username information, and password hashes.
The dataset reportedly includes signup IP addresses and last login IP addresses. It also has account creation dates and activity timestamps, according to the seller.
Other claimed fields include locale settings, timezone information, and country data. The listing says the database includes workspace names and user roles.
The seller also claims to have subscription information and trial status details. The listed information corresponds to the kind of data a SaaS application usually stores.
Is the Alleged Database Truly from Notion?
The big question is where this data actually came from. The seller has not provided any technical evidence showing they accessed Notion’s systems. There are no details about how a breach might have happened. The seller has not shared an attack timeline or any forensic findings.
Screenshots which would prove the breach have not been revealed yet. In its absence, researchers cannot verify the information source. Datasets advertised as new breaches are often not what they seem. Many turn out to be collections of previous leaks that threaten actors gathered from multiple sources.
The verification challenges are not unique to the Notion claim; a dark web seller recently claimed the sale of 20 million Romanian citizen records, another massive dataset whose authenticity remains unconfirmed.
Some come from data from older security incidents. Others come from credential-stealing malware or compromised integrations. Threat actors frequently inflate the size of their datasets. They sometimes add duplicate records to make the numbers look bigger.
There have been many cases where hackers fabricated claims entirely. Threat actors do this to draw the attention of potential buyers and enhance their reputation among cyber criminals.
Potential Risks If the Data is Real
If the data is truly authentic, then this leak could put users at big risks. For one, email addresses and account information are valuable for attackers; they’re handy for crafting convincing phishing messages that trick users into handing over their login credentials. Workspace names and role information could help create convincing messages.
Based on the threat actor’s post, there is a list of password hashes in the database. Although they are entirely different from passwords in plaintext, they could still be useful to malicious parties.
It is not hard for them to crack weak passwords and use them in many services. Many people reuse passwords across different platforms. Organizations that rely heavily on Notion could face increased risks. Detailed account information could help attackers launch social engineering attempts.
At this stage, these risks remain hypothetical. The authenticity of the data has not been established.
The Bigger Picture of Breach Claims
Cybercriminal marketplaces regularly feature claims about major technology companies. The larger the brand, the more attention a listing gets. Experienced researchers rarely accept large record counts at face value. They first try to find out if the information is fresh and authentic.
Also, they try to trace the data back to its specific origin. It is a huge quantity of data, even though the claim of a data breach is unproven.
What Happens Next
Independent researchers will likely try to validate the records. They will look for signs that the sampled data belongs to real users. They check if the information is recent and follows expected patterns. Further confirmation from the victims or security firms would support the claim.
No official statements were provided by the company. The company has not confirmed any security incident. For now, the alleged Notion database sale remains an unverified breach claim. It is not a confirmed security incident at this time.
There is no public basis for concluding that Notion suffered a breach. The listing may represent a genuine compromise, but that remains unproven. Or maybe the actor just recycled data from third-party sources. It might be an entirely different type of dataset altogether.
Until there’s evidence that the data comes from Notion, the claim remains just a rumor. The case shows once again that data breach claims require verification. Not everything posted on cybercrime websites is true.
