Workplace Apps Collect Extensive User Data, Raising Privacy and Security Concerns
A recent study by Incogni, analyzing data from the Google Play Store as of March 20, 2026, reveals that ten widely used workplace apps including Gmail, Microsoft Teams, Zoom Workplace, Slack, and Notion collect an average of 19 data points per app, with some sharing sensitive information with third parties. These apps, cumulatively downloaded over 12.5 billion times, are integral to U.S. corporate operations but pose significant privacy and security risks.
Data Collection and Sharing Practices
Gmail leads in data harvesting, collecting 26 distinct data types, including approximate location, app interactions, and user IDs for advertising. Microsoft Teams and Zoom Workplace follow closely, with 25 and 23 data types, respectively both uniquely gathering precise location data. Six of the ten apps, including Slack, Notion, and Zoom Workplace, use collected data for marketing, with Slack, Todoist, and Notion specifically harvesting employee email addresses for this purpose.
Notion stands out for its outbound data flow, sharing eight data types such as email addresses, names, and device IDs with third parties, including advertising partners. The app’s privacy policy permits tracking tools on user browsers, raising concerns over the exposure of sensitive workspace content like HR records and client data. Regulatory scrutiny has intensified, particularly after the EU’s Data Protection Board tightened GDPR requirements in December 2024 regarding personal data use in AI training, directly impacting Notion’s third-party model integrations.
Security Vulnerabilities and Breach History
Most apps in the study have a history of breaches. In January 2026, a 96-gigabyte database containing 149 million login credentials 48 million tied to Gmail was exposed, attributed to infostealer malware on user devices. Slack suffered a November 2025 breach where attackers used stolen credentials to access accounts of over 17,000 Nikkei employees, exposing names, emails, and chat histories. Trello, Zoom, and Microsoft products have also faced incidents, with Trello data appearing for sale in January 2024.
Workday is the only app in the analysis without a user data deletion option, despite holding employment records and payroll details. In August 2025, the platform confirmed two breaches linked to its Salesforce CRM, where attackers obtained business contact information as part of a ShinyHunters social engineering campaign.
BYOD Risks and Platform Disparities
Many employees install these apps on personal devices, exposing contact details, financial data, and location information to advertising networks or corporate administrators. Slack, for example, lacks end-to-end encryption, allowing workspace owners to access direct messages and private channels. While the study focuses on Google Play data, Incogni notes that iOS disclosures may differ, though past comparisons suggest similar privacy practices across platforms.
The findings highlight the trade-offs between workplace productivity and data exposure, with recurring breaches and extensive tracking underscoring the risks of integrating these tools into daily operations.
Source: https://www.helpnetsecurity.com/2026/05/04/workplace-apps-data-collection-privacy/
Workday cybersecurity rating report: https://www.rankiteo.com/company/workday
Notion cybersecurity rating report: https://www.rankiteo.com/company/notionhq
Google Workspace cybersecurity rating report: https://www.rankiteo.com/company/googleworkspace
Zoom cybersecurity rating report: https://www.rankiteo.com/company/zoom
Nikkei cybersecurity rating report: https://www.rankiteo.com/company/nikkei
Slack cybersecurity rating report: https://www.rankiteo.com/company/tiny-spec-inc
"id": "WORNOTGOOZOONIKTIN1777868873",
"linkid": "workday, notionhq, googleworkspace, zoom, nikkei, tiny-spec-inc",
"type": "Breach",
"date": "3/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '149 million (48 million tied to '
'Gmail)',
'industry': 'Technology',
'location': 'Global',
'name': 'Gmail',
'size': 'Large',
'type': 'Email Service'},
{'industry': 'Technology',
'location': 'Global',
'name': 'Microsoft Teams',
'size': 'Large',
'type': 'Collaboration Platform'},
{'industry': 'Technology',
'location': 'Global',
'name': 'Zoom Workplace',
'size': 'Large',
'type': 'Video Conferencing'},
{'customers_affected': '17,000 Nikkei employees',
'industry': 'Technology',
'location': 'Global',
'name': 'Slack',
'size': 'Large',
'type': 'Messaging Platform'},
{'industry': 'Technology',
'location': 'Global',
'name': 'Notion',
'size': 'Large',
'type': 'Productivity Tool'},
{'industry': 'Technology',
'location': 'Global',
'name': 'Trello',
'size': 'Large',
'type': 'Project Management'},
{'industry': 'Technology',
'location': 'Global',
'name': 'Workday',
'size': 'Large',
'type': 'HR and Payroll Software'}],
'attack_vector': ['Infostealer Malware',
'Stolen Credentials',
'Third-Party Data Sharing'],
'data_breach': {'data_encryption': 'Lacking in some cases (e.g., Slack)',
'data_exfiltration': 'Yes',
'number_of_records_exposed': ['149 million (Gmail-related)',
'17,000 (Slack)'],
'personally_identifiable_information': ['Email Addresses',
'Names',
'Employment Records',
'Payroll Details'],
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Login Credentials',
'Email Addresses',
'Names',
'Chat Histories',
'Employment Records',
'Payroll Details',
'Device IDs',
'Location Data']},
'date_detected': '2026-03-20',
'date_publicly_disclosed': '2026-03-20',
'description': 'A recent study by Incogni reveals that ten widely used '
'workplace apps, including Gmail, Microsoft Teams, Zoom '
'Workplace, Slack, and Notion, collect an average of 19 data '
'points per app, with some sharing sensitive information with '
'third parties. These apps pose significant privacy and '
'security risks due to extensive data harvesting and sharing '
'practices, as well as a history of breaches.',
'impact': {'brand_reputation_impact': 'Increased regulatory scrutiny and loss '
'of user trust',
'data_compromised': ['Login Credentials',
'Email Addresses',
'Names',
'Chat Histories',
'Employment Records',
'Payroll Details',
'Device IDs',
'Location Data'],
'identity_theft_risk': 'High',
'legal_liabilities': ['GDPR Violations', 'Potential Fines'],
'operational_impact': 'Exposure of sensitive workspace content and '
'corporate data',
'systems_affected': ['Gmail',
'Microsoft Teams',
'Zoom Workplace',
'Slack',
'Notion',
'Trello',
'Workday']},
'initial_access_broker': {'data_sold_on_dark_web': 'Yes (Trello data)'},
'investigation_status': 'Ongoing',
'lessons_learned': 'The trade-offs between workplace productivity and data '
'exposure highlight the need for stronger data protection '
'measures, end-to-end encryption, and stricter third-party '
'data sharing policies.',
'motivation': ['Data Harvesting for Advertising',
'Financial Gain',
'Espionage'],
'post_incident_analysis': {'corrective_actions': ['Enhance encryption',
'Limit third-party access',
'Improve user data deletion '
'options',
'Strengthen credential '
'security'],
'root_causes': ['Extensive data collection '
'practices',
'Third-party data sharing',
'Lack of end-to-end encryption',
'Infostealer malware',
'Stolen credentials']},
'recommendations': ['Implement end-to-end encryption for sensitive '
'communications',
'Limit third-party data sharing and tracking',
'Provide users with clear data deletion options',
'Enhance monitoring for infostealer malware and '
'credential theft',
'Comply with GDPR and other data protection regulations'],
'references': [{'date_accessed': '2026-03-20', 'source': 'Incogni Study'},
{'date_accessed': '2024-12',
'source': 'EU Data Protection Board'}],
'regulatory_compliance': {'regulations_violated': ['GDPR']},
'threat_actor': ['ShinyHunters', 'Unknown Attackers'],
'title': 'Workplace Apps Collect Extensive User Data, Raising Privacy and '
'Security Concerns',
'type': ['Data Collection', 'Privacy Violation', 'Data Breach'],
'vulnerability_exploited': ['Lack of End-to-End Encryption',
'Insecure Data Storage',
'Third-Party Tracking Tools']}