Notion Outage Root Cause: Phishing Reports

A prolonged service disruption experienced by the online workspace platform, Notion, last week stemmed from reports concerning phishing activity, as indicated by the company’s domain registrar.

Service Interruption Details

For a significant portion of Friday morning, Notion was inaccessible, leaving over four million users without access to their organizational tools. The company initially attributed the issue to an “unusual DNS problem” originating at the registry operator level.

Consequently, users found themselves unable to reach their files, calendars, and other essential documents.

Domain Management Structure

Notion’s domain, notion.so, was registered through Name.com. However, the management of all .so domains is overseen by Hexonet.

Hexonet functions as a liaison between Sonic, the top-level domain registry for .so, and domain registrars such as Name.com.

This intricate network of dependencies played a key role in the communication breakdown that led to Notion’s extended downtime.

Name.com’s Explanation

According to a statement from Name.com spokesperson Jared Ewy, Hexonet received complaints regarding phishing-related content on user-created Notion pages.

Hexonet alerted Name.com to these reports, but independent verification proved impossible. Following established procedures, Hexonet temporarily suspended Notion’s domain.

Ewy further stated, “Recognizing the impact of this action, collaborative efforts were undertaken to swiftly restore service to Notion and its user base.”

“All involved teams are now collaborating on revised protocols to prevent similar incidents in the future. The Notion team and its dedicated community were responsive and cooperative throughout the process. We appreciate everyone’s patience and understanding,” Ewy added.

Mitigation and Future Prevention

Current indications suggest the likelihood of a recurrence is low.

Notion initially did not respond to inquiries, but spokesperson Camille Ricketts later clarified to TechCrunch: “Our platform is not intended for hosting phishing websites.”

“We employ automated security measures to detect and remove suspicious links on pages associated with our domain.”

Ricketts explained that, in this specific instance, a user had created a Notion page containing a link to a phishing site hosted elsewhere, which initially evaded detection.

“Typically, we would receive notification from our domain vendors before service is interrupted, but this did not occur. With a new communication protocol now established, we are confident in preventing similar issues.”

Ongoing Security Concerns

Discussions on Reddit have highlighted concerns about the potential for Notion to be exploited for hosting phishing sites.

Security researchers have also presented evidence of active phishing campaigns utilizing Notion.

Approximately a year ago, a Notion employee indicated that the company would “soon” transition its domain to notion.com, which it already owns.

Similar Incident with Zoho

Notion’s experience mirrors a similar situation experienced by Zoho in 2018.

Like Notion, Zoho was forced to contact its domain registrar directly after zoho.com was blocked following reports of phishing emails originating from Zoho-hosted accounts.

Updated with comment from Notion.

Further Reading

• Online workspace startup Notion hit by outage, citing DNS issues

• Ancestry says it fought two police requests to search its DNA database

• A webcam app left thousands of user accounts exposed online

• Extra Crunch:

  A hacker attempted to poison Florida town’s water supply