A threat actor is advertising what they describe as a full database dump from Notion, the productivity platform used by Nvidia, OpenAI, Toyota, and Vercel, claiming to hold more than 110 million user records containing account information, password hashes, and login metadata. The seller posted 48 sample records to validate the offering, which Cybernews researchers reviewed and found internally consistent, though the full scale remains unverified. Notion has downplayed the claim, with the inquiry answered by its AI customer support assistant rather than a security spokesperson.
What Happened
A hacker took to underground forums to claim responsibility for a data breach affecting Notion and is offering the alleged dataset to the highest bidder. To support the claim, the seller published 48 sample records spanning a wide range of account-related fields. Cybernews researchers examined the samples and assessed them as internally consistent and legitimate in appearance, while cautioning that there is currently no way to confirm whether the full dataset truly contains the advertised 110 million records. "The sample looks legitimate, but we cannot confirm the claimed number of records," they said. The figure is notable because Notion itself states it has over 100 million users across its applications, making the claimed volume plausible in scale.
What Was Taken
The advertised dataset is said to include account information, password hashes, and login metadata for more than 110 million users. The passwords appear to be stored as hashes rather than plaintext, which limits but does not eliminate the risk. Login metadata and email addresses round out the exposure, giving attackers both authentication artifacts and direct contact channels for follow-on abuse. Researchers stressed that the sample of 48 records is the only verified portion; the remainder of the claimed corpus cannot be independently confirmed at this time.
Why It Matters
Notion sits at the center of how many enterprises document plans, store knowledge, and coordinate work, and its client roster includes Nvidia, OpenAI, Toyota, and Vercel. A credential dataset tied to a platform of this reach is valuable well beyond Notion itself. Even hashed passwords feed account takeover and credential stuffing campaigns: depending on the hashing algorithm and password strength, attackers may crack weaker hashes and replay the recovered passwords against unrelated services, exploiting the widespread habit of password reuse. The exposed email addresses also enable convincing phishing that impersonates Notion support or other trusted brands, and attackers routinely merge fresh leaks with previously stolen credentials to sharpen social engineering.
The Attack Technique
The threat actor has not disclosed an intrusion method, and the initial access vector remains unknown. What is established is the post-incident playbook the data enables. With password hashes in hand, attackers can run offline cracking against weak or common passwords, then pivot to credential stuffing across other platforms. Exposed emails support targeted phishing impersonating Notion or trusted services, and combining the leak with prior breach data raises the believability of those lures. Notably, when Cybernews sought confirmation, the inquiry was handled by Notion's AI support assistant, which replied that it "cannot confirm a specific cyber incident from the information provided" and pointed to general security practices, illustrating a gap when automated support fronts breach disclosure.
What Organizations Should Do
- Force or strongly encourage a password reset for all Notion users in your organization, and revoke active sessions where possible.
- Enable and enforce multi-factor authentication on Notion accounts to blunt account takeover even if hashes are cracked.
- Hunt for credential reuse: require unique passwords and deploy a password manager so a Notion compromise does not cascade to other services.
- Brief users on phishing impersonating Notion support, and tune email filtering for lures referencing account verification or security alerts.
- Monitor for credential-stuffing patterns and anomalous logins against corporate SSO and SaaS tied to the same email addresses.
- Treat the claim as credible until disproven; assume exposure and prioritize identity hardening rather than waiting for vendor confirmation.
Sources: Hackers claim 110M Notion records exposed, but the company's AI assistant is not concerned
TWEET: Notion breached, threat actor claims 110M user records with password hashes for sale. Used by Nvidia & OpenAI. Notion downplays it. Full breakdown: https://wasteland.me/intel/notion-110m-records-breach-claim #CyberSecurity #ThreatIntel