When people think about document metadata, they usually picture Word: authors, tracked changes, comments. Spreadsheets get less attention, which is unfortunate, because Excel workbooks carry all of those risks plus a category that is unique to them. If you share financial models, data extracts, or reports as .xlsx files, this is worth understanding.
The standard properties (same as Word)
An .xlsx file is a ZIP archive, just like a .docx. Inside, the
docProps/ folder holds the same property files: core.xml with the author and last-modified-by names and the creation and edit timestamps, and app.xml with the company name, manager, and template path. So everything covered in our Word metadata guide about authorship and company exposure applies to spreadsheets too.
Comments are also a live risk. A cell comment reading "use the conservative figure here, the real number is lower" is invisible unless you hover over the cell, but it travels in the file and is trivially readable. Comments carry the author's name and a timestamp.
The leak that only spreadsheets have: defined names
Here is the part that surprises even careful people. Excel lets you create defined names — friendly labels for cells or ranges, like naming B2:B13 as "MonthlyRevenue." Useful. But defined names can also reference cells in other workbooks, and when they do, Excel stores the full path to that external file. Pull data from a file on a shared drive even once, and a defined name like this can end up baked into xl/workbook.xml:
<definedName name="LastYear">
'[\\fileserver01\finance\2024\Q4-actuals.xlsx]Sheet1'!$A$1:$M$60
</definedName>That single line, invisible anywhere on the spreadsheet grid, discloses:
- The name of an internal server (
fileserver01) - The folder hierarchy (
finance\2024) - The existence and naming convention of a confidential file (
Q4-actuals.xlsx)
To anyone doing reconnaissance on an organization, this is a gift: a map of where sensitive files live and how they are named, leaked by a workbook that was shared for an entirely innocent reason.
Why a cleaner should not auto-delete defined names
You might expect a metadata tool to simply strip all defined names. The problem is that most defined names are load-bearing — formulas across the workbook depend on them. Delete the wrong one and cells turn into #NAME? errors, silently breaking the file you were trying to protect. A responsible cleaner therefore leaves defined names intact and instead flags the risk, leaving the targeted removal to you, because only you know which names are still in use.
Removing a path-bearing name safely takes a moment in Excel: open Formulas → Name Manager, look for any entry whose "Refers To" value contains a path in square brackets, and delete it if no live formula needs it (or replace the external reference with local data first). Then run a metadata cleaner to clear the remaining document properties.
Other spreadsheet-specific exposures
- Data connections and query definitions. Workbooks that pull from databases or web sources can store connection strings, which may include server names and, in poorly configured cases, more.
- Hidden sheets and columns. These are content rather than metadata, so a metadata cleaner leaves them alone — but they are a classic accidental-disclosure route. Unhide and review before sharing.
- Embedded images and logos. A photo or screenshot pasted into a sheet keeps its own EXIF, including GPS if it came from a phone. A good cleaner strips EXIF from images stored in
xl/media/. - Custom XML properties. Enterprise systems inject matter numbers, client codes, and workflow states into
docProps/custom.xml. These are pure metadata and should be deleted.
A realistic scenario
A company sends a budget workbook to an external auditor. The visible sheets are exactly what was intended. But the file carries: the CFO-office account name in lastModifiedBy, the company name in app.xml, a cell comment noting that one figure was "adjusted for presentation," and a defined name pointing to \\fileserver01\finance\2024\actuals.xlsx. None of that was meant to leave the building. All of it did, inside a file that looked clean on screen.
The fix
For the document properties, comments, custom XML, and embedded-image EXIF, a metadata cleaner handles everything automatically — unzipping the workbook in memory, scrubbing the property files, deleting comments and custom parts, and stripping image EXIF, then repackaging a valid .xlsx with your data, formulas, and formatting untouched. For path-bearing defined names, remove them yourself in Name Manager first, since only you can tell which are safe to delete. Together, those two steps close every spreadsheet-specific disclosure route.
You can clean Excel workbooks entirely in your browser with our Excel metadata removal tool — no upload, no signup, nothing leaves your device.