Notion’s hours-long outage was caused by phishing complaints

Last week’s hours-long outage at online workspace startup Notion was caused by phishing complaints, according to the startup’s domain registrar.

Notion was offline for most of the morning on Friday, plunging its more than four million users into organization darkness because of what the company called a “very unusual DNS issue that occurred at the registry operator level.” With the company’s domain offline, users were unable to access their files, calendars, and documents.

Notion registered its domain name notion.so through Name.com, but all .so domains are managed by Hexonet, a company that helps connect Sonic, the .so top-level domain registry, with domain name registrars like Name.com.

That complex web of interdependence is in large part what led to the communications failure that resulted in Notion falling offline for hours.

In an email to TechCrunch, Name.com spokesperson Jared Ewy said: “Hexonet received complaints about user-generated Notion pages connected to phishing. They informed Name.com about these reports, but we were unable to independently confirm them. Per its policies, Hexonet placed a temporary hold on Notion’s domain.”

“Noting the impact of this action, all teams worked together to restore service to Notion and its users. All three teams are now partnering on new protocols to ensure this type of incident does not happen again. The Notion team and their avid followers were responsive and a pleasure to work with throughout. We thank everyone for their patience and understanding,” said Ewy.

It sounds like there’s no immediate danger of a repeat outage.

Notion did not respond to our emails prior to publication, but spokesperson Camille Ricketts later told TechCrunch: “We do not allow Notion to be used to host phishing sites. We have automated security software that scans for suspicious links on any pages associated with our domain and removes them.”

“In this instance, a user had created a Notion page that linked out to a phishing site hosted elsewhere, and it was not flagged,” said Ricketts. “Even in this case, we’d typically be alerted to the issue by our domain vendors before service is blocked. This time, we weren’t notified. Now that we have a new communication protocol in place, we’re confident this type of issue won’t happen again.”

There are several threads on Reddit discussing concerns about Notion being used to host phishing sites, and security researchers have shown examples of Notion used in active phishing campaigns. A Notion employee said almost a year ago that Notion would “soon” move its domain to notion.com, which the company owns.

Notion’s outage is almost identical to what happened with Zoho in 2018, which like Notion, resorted to tweeting at its domain registrar after it blocked zoho.com following complaints about phishing emails sent from Zoho-hosted email accounts.

Updated with comment from Notion.

Read more: