The Good Tech Companies - New Research Shows 64% of Third-Party Applications Access Sensitive Data Without Authorization
Episode Date: January 22, 2026This story was originally published on HackerNoon at: https://hackernoon.com/new-research-shows-64percent-of-third-party-applications-access-sensitive-data-without-authorization. ... 64% of third‑party applications access sensitive data without legitimate business justification. Google Tag Manager (8%), Shopify (5%), and Facebook Pixel (4%) Check more stories related to cybersecurity at: https://hackernoon.com/c/cybersecurity. You can also check exclusive content about #cybersecurity, #reflectiz, #cybernewswire, #press-release, #cyber-threats, #cyber-security-awareness, #cybersecurity-tips, #good-company, and more. This story was written by: @cybernewswire. Learn more about this writer by checking @cybernewswire's about page, and for more stories, please visit hackernoon.com. Reflectiz releases its 2026 State of Web Exposure Research. 64% of third‑party applications access sensitive data without legitimate business justification. Google Tag Manager (8%), Shopify (5%), and Facebook Pixel (4%) are top drivers of sensitive data exposure.
Transcript
Discussion (0)
This audio is presented by Hacker Noon, where anyone can learn anything about any technology.
New research shows 64% of third-party applications access sensitive data without authorization.
By Cyber Newswire.
Boston, Massachusetts, USA, January 21st, 2026, Cyber Newswire, Reflect as today announced the release
of its 2026 state of web exposure research, revealing a sharp escalation in client-side risk across
global websites, driven primarily by third-party applications, marketing tools, and unmanaged
digital integrations. According to the new analysis of 4,700 leading websites, 64% of third-party
applications now access sensitive data without legitimate business justification, up from 51% last
year, a 25% year-over-year spike highlighting a widening governance gap. The report also exposes
a dramatic surge in malicious web activity across critical public sector information.
infrastructure. Government websites saw malicious activity rise from 2% to 12.9% while one in seven
education websites now show active compromise, quadrupling year over year. Budget constraints and
limited manpower were cited as primary obstacles by public sector security leaders. The research
identifies several widely used third-party tools as top drivers often justified sensitive data
exposure, including Google Tag Manager, 8%, Shopify, 5%, and Facebook
pixel, 4%, which were frequently found to Bover permissioned or deployed without adequate scoping.
Greater than, organizations are granting sensitive data access by default rather than greater than
exception, and attackers are exploiting that gap, said VP of product at Reflectas, Simon Arazi.
This year's data shows that marketing teams continue greater than to introduce the majority of
third-party risk, while IT lacks visibility into greater than what's actually running on the website.
Key findings include, 64% of apps accessing sensitive data have no valid justification.
47% of applications running in payment frames, checkout environments, are unjustified.
Compromised sites connect to 2.7 times more external domains, load 2 times more trackers,
and use recently registered domains 3.8 times more often than clean sites.
Marketing and digital departments account for 43% of all third-party risk.
The report also introduces updated security leadership benchmarks, highlighting the very small group of organizations meeting all eight criteria.
Only one website, Ticketweb.ukes, achieved a perfect score across the framework.
The 2026 report includes sector by sector breakdowns of web exposure risk, full list of high-risk third-party applications, year-over-year industry trends, technical indicators of compromise, best practice controls for security and digital teams,
The complete 43-page analysis is available for download.
HTTPS-Colon slash www.
www.org slash learning dash hub slash web-exposure dash 26-dash research slash about
reflectas, reflectas empowers organizations to secure their websites and digital assets against modern web threats.
Its award-winning, agentless platform provides continuous visibility into all client-side activity,
detecting and prioritizing security, privacy and compliance risks.
Reflectus is trusted by global enterprises across financial services, e-commerce, and healthcare to protect their data, users, and brand reputation.
Contact VP Marketing Danielshirabe, Reflectiz Daniel.s. Daniel.S at Reflectiz.com. This story was published as a press release by CyberNewswire under Hackernoon Business Blogging Program.
Do your own research before making any financial decision. Thank you for listening to this Hackernoon story, read by artificial intelligence.
Visit hackernoon.com to read, write, learn and publish.