Your Favorite Website Is Leaking Data, New Research Reveals

BOSTON, MA – January 21, 2026 – A vast and largely invisible threat is compromising the security of global websites, with nearly two-thirds of third-party applications accessing sensitive user data without any legitimate business purpose. A new report released today by cybersecurity firm Reflectiz reveals a 25% year-over-year surge in this high-risk activity, exposing a critical governance gap that leaves businesses and their customers dangerously exposed.

The firm's 2026 State of Web Exposure Research, an analysis of 4,700 leading websites, found that 64% of the third-party tools running on these sites—from analytics trackers to marketing widgets—are accessing sensitive information. This figure is up sharply from 51% just one year ago, indicating that the problem of client-side security is not only pervasive but escalating at an alarming rate.

These risks originate not on the company's secured servers, but within the user's own web browser. Modern websites are complex patchworks of dozens, sometimes hundreds, of scripts from external vendors. While these tools are essential for analytics, advertising, and user experience, they also create a sprawling and often unmonitored digital supply chain. When these scripts are granted excessive permissions, they can view and exfiltrate data that users enter into forms, including names, email addresses, passwords, and even credit card numbers.

"Organizations are granting sensitive-data access by default rather than exception — and attackers are exploiting that gap," said Simon Arazi, VP of Product at Reflectiz, in the announcement. "This year's data shows that marketing teams continue to introduce the majority of third‑party risk, while IT lacks visibility into what's actually running on the website."

Public Sector Under Siege

Nowhere is this growing threat more acute than in the public sector. The research exposes a dramatic surge in malicious activity targeting critical government and educational infrastructure. Government websites saw a more than six-fold increase in malicious activity, rising from 2% to 12.9% over the past year. The situation in education is equally dire, with one in seven websites now showing signs of active compromise—a four-fold increase.

Security leaders in these sectors cite budget constraints and limited manpower as primary obstacles to defending against these sophisticated client-side attacks. As public services become increasingly digitized, these vulnerabilities turn essential platforms into prime targets for data theft and disruption, eroding public trust and putting citizen data at significant risk.

The report identifies several widely used third-party tools as top drivers of this unjustified data exposure, including Google Tag Manager, Shopify, and Facebook Pixel. These tools are often deployed by marketing departments with broad permissions, creating security blind spots that IT and security teams struggle to monitor and control.

The Marketing-Security Disconnect

At the heart of the issue lies a fundamental disconnect between the goals of marketing departments and the security mandates of IT teams. The research found that marketing and digital departments account for 43% of all third-party risk. In the race for data-driven insights, customer engagement, and rapid innovation, teams often integrate new tools without a thorough security vetting process, creating a form of "shadow IT" that operates outside the view of traditional security controls.

This problem is particularly severe on the most sensitive parts of a website. According to the study, a staggering 47% of all applications running within online payment frames—the very windows where customers enter their credit card details—are unjustified and serve no legitimate business function. This creates a fertile ground for web skimming attacks, also known as Magecart, where malicious code silently steals payment information directly from the user's browser.

Compromised websites exhibit clear warning signs. The research shows they connect to 2.7 times more external domains, load twice as many trackers, and are 3.8 times more likely to use recently registered domains, a common tactic for attackers to exfiltrate stolen data. Despite the clear indicators, the sheer complexity of the modern web makes manual detection nearly impossible, highlighting the inadequacy of server-side security measures in protecting the client-side attack surface.

Navigating a New Regulatory Minefield

The widespread, unauthorized collection of data by third-party scripts places organizations in direct conflict with a growing web of data privacy regulations. This operational negligence creates significant legal and financial jeopardy.

Under Europe's General Data Protection Regulation (GDPR), organizations must adhere to principles of data minimization, meaning they can only process data that is necessary for a specified purpose. Allowing external scripts to access data without justification is a clear violation that can trigger fines of up to 4% of a company's annual global turnover.

Similarly, the California Privacy Rights Act (CPRA) requires businesses to implement "reasonable security" to protect consumer data and gives consumers a private right of action to sue for damages in the event of a breach. The kind of client-side vulnerabilities identified in the report represent a failure to meet this standard, exposing companies to costly class-action lawsuits and regulatory penalties.

The payment card industry is also taking notice. The latest version of the Payment Card Industry Data Security Standard (PCI DSS 4.0) introduced new, explicit requirements (6.4.3 and 11.6.1) that mandate the management and authorization of all scripts running on payment pages. This change directly addresses the threat of web skimming and makes robust client-side security a prerequisite for compliance. As regulatory and industry standards evolve to counter these modern threats, organizations that lack visibility into their web supply chain risk not only a data breach but also severe non-compliance penalties and irreparable damage to their brand reputation.