The study, which analyzed 4,700 major websites, found that 64% of third-party applications now access sensitive data without a legitimate business reason, up from 51% in 2024. Malicious activity in the government sector jumped from 2% to 12.9%, with 1 in 7 education sites showing active compromise. Specific violators: Google Tag Manager (8% of violations), Shopify (5%), Facebook Pixel (4%).
Download the full 43-page analysis →
TL;DR
The 2026 study revealed a significant disconnect. While 81% of security leaders make web attacks a top priority, only 39% have solutions in place to stop the bleeding.
Last year’s survey found that 51% of websites had unauthorized access. This year, it is 64%, and its adoption in public infrastructure is accelerating.
What is web exposure?
Gartner coined the term “Web Exposure Management” to describe the security risks posed by third-party applications such as analytics, marketing pixels, CDNs, and payment tools. Each connection expands the attack surface. A breach of a single vendor could result in a massive data breach by injecting code that harvests credentials or skims payments.
This risk is fueled by governance gaps where marketing and digital teams deploy apps without IT oversight. The result is chronic misconfigurations that allow over-permitted applications to access sensitive data fields that are not functionally necessary.
This study analyzes exactly what data these third-party apps access and whether they have a legitimate business justification.
methodology
Reflectiz analyzed 4,700 major websites over a 12-month period (through November 2025) using a proprietary exposure rating system. We analyze millions of data points collected from scanning millions of websites, taking into account each risk factor in context, and sum them up to create an overall risk level, expressed as a simple grade from A to F. The findings were supplemented by a survey of more than 120 security leaders in the healthcare, finance, and retail industries.
Risk of unauthorized access
The report highlights a widening governance gap known as ‘undue access’. This is an example of third-party tools being given access to sensitive data without a clear business need.
Access is flagged if a third-party script meets any of the following criteria:
Extraneous functionality: Reading data that is not needed for the task (e.g. chatbot accessing payment fields). Zero ROI Presence: Remains active on high-risk pages despite having zero data submissions for more than 90 days. Shadow deployment: Injection via tag manager without security monitoring or “least privilege” scope. Excessive privileges: Take advantage of “full DOM access” to scrape entire pages instead of restricted elements.
“Organizations are allowing access to sensitive data by default, not by exception.” This trend is most evident in entertainment and online retail, where marketing pressures often prioritize security reviews.
This study identifies specific tools that facilitate this exposure.
Google Tag Manager: Accounts for 8% of all unauthorized sensitive data accesses. Shopify: Unauthorized access is 5%. Facebook Pixel: In 4% of analyzed deployments, the pixel was found to be over-permissive and capturing sensitive input fields not needed for feature tracking.
This governance gap is not theoretical. A recent survey of more than 120 security decision makers in the healthcare, financial, and retail industries found that 24% of organizations rely solely on common security tools such as WAFs, leaving them vulnerable to the specific third-party risks identified in the survey. A further 34% are still evaluating dedicated solutions. This means that 58% of organizations are aware of the threat but lack the appropriate defenses.
Critical infrastructure under siege
Statistics show that there has been a significant spike in breaches in government and educational institutions, but the cause is not technical, but financial.
Government sector: Malicious activity jumped from 2% to 12.9%. Education sector: Indications of compromised sites quadrupled to 14.3% (1 in 7 sites) Insurance sector: In contrast, malicious activity in this sector decreased by 60% to just 1.3%.
Budget-constrained institutions are losing the supply chain battle. The private sector with better governance budgets is stabilizing the environment.
Survey respondents confirmed this. 34% cited budget constraints as the main barrier, and 31% cited lack of staffing. These combinations are hitting public institutions particularly hard.
Gap between awareness and action
Security leaders’ findings reveal organizational dysfunction.
81% make web attacks a priority → Only 39% have solutions in place 61% still evaluate or use inappropriate tools → 51% despite → 64% see a spike in unauthorized access Biggest obstacles: Budget (34%), Regulation (32%), Staffing (31%)
Consequences: Awareness without action creates massive vulnerability. The 42-point difference explains the 25% year-over-year increase in unauthorized access.
Marketing department factors
The main driver of this risk is the “marketing footprint.” The study found that marketing and digital departments currently drive 43% of total third-party risk exposure, while IT departments generate just 19%.
The report found that 47% of apps running on payment frames lack business justification. Marketing teams often introduce conversion tools into these sensitive environments without realizing the impact.
Security teams are aware of this threat. In a practitioner survey, 20% of respondents ranked supply chain attacks and third-party script vulnerabilities in their top three concerns. However, the organizational structures to guard against these risks – central oversight of third-party deployments – remain absent in most organizations.
How pixel infringement undermines Polyfill.io
Facebook Pixel has a 53.2% penetration rate and is a single point of failure for the entire system. Risk is not a tool, it is an unmanaged privilege. “Full DOM Access” and “Automatic Advanced Matching” turn your marketing pixel into an unintended data scraper.
Precedent: The breach will be five times larger than the Polyfill.io attack in 2024, exposing data to half of the major web simultaneously. Polyfill affected 100,000 sites over several weeks. Facebook Pixel’s 53.2% penetration rate means over 2.5 million sites will be compromised instantly.
Fix: Introducing context-aware. Limit pixels to landing pages to increase ROI, but strictly block them from payment or credential frames if they lack business justification.
What about the TikTok pixel and other trackers? For more information, download the full report >>
Technical indicators of infringement
This research identifies for the first time technical signals that predict compromised sites.
Compromised sites don’t always use malicious apps. Those sites are characterized by a “noisy” configuration.
Automatic detection criteria:
Recently registered domains: Domains registered within the past six months appear 3.8 times more often on compromised sites. External connections: Compromised sites connect to 2.7x more external domains (100 vs. 36). Mixed content: 63% of compromised sites have mixed HTTPS/HTTP protocols.
Benchmarks for security leaders
Of the 4,700 sites analyzed, 429 sites demonstrated strong security results. These organizations are proving that functionality and security can coexist.
ticketweb.uk: The only site that meets all 8 benchmarks (Grade A+) GitHub, PayPal, Yale University: Meets 7 benchmarks (Grade A)
8 Security Benchmarks: Leaders and Averages
The benchmarks below represent achievable goals based on real-world performance, rather than theoretical ideals. Leaders maintain eight or fewer third-party apps, while the average organization struggles with 15 to 25. The difference is not in resources, but in governance. Here’s how all eight metrics compare:
Three quick wins to prioritize
1. Audit Tracker
Inventory all pixels/trackers.
Identify ownership and business justification Remove tools that cannot justify data access
Priority fix:
Facebook Pixel: Disable “Auto Altitude Matching” on PII pages Google Tag Manager: Ensure no access to payment pages Shopify: Check app permissions
2. Implement automatic monitoring
Introduce the following runtime monitoring:
Sensitive field access detection (card, SSN, credentials) Real-time alerts on unauthorized collection CSP violation tracking
3. Address the marketing and IT divide
CISO and CMO joint review:
Marketing Tools in the Payment Frame Facebook Pixel Scoping (Using Allow/Exclude Lists) Tracker ROI vs. Security Risk
Download the full report
Get the full 43-page analysis, including:
✅ Risk breakdown by sector
✅ Complete list of risky third-party apps
✅ Year-on-year trend analysis
✅ Best practices for security leaders
Download the full report here
Source link
