New Research: 64% of 3rd-Party Applications Access Sensitive Data Without Justification

New Research: 64% of 3rd-Party Applications Access Sensitive Data Without Justification

Briefly

"Research analyzing 4,700 leading websites reveals that 64% of third-party applications now access sensitive data without business justification, up from 51% in 2024. Government sector malicious activity spiked from 2% to 12.9%, while 1 in 7 Education sites show active compromise. Specific offenders: Google Tag Manager (8% of violations), Shopify (5%), Facebook Pixel (4%)."

"Over 12 months (ending Nov. 2025), Reflectiz analyzed 4,700 leading websites using its proprietary Exposure Rating system. It analyzes the huge number of data points it gathers from scanning millions of websites by considering each risk factor in context, adds them together to create an overall level of risk, and expresses this as a simple grade, from A to F. Findings were supplemented by a survey of 120+ security leaders in the healthcare, finance, and retail sectors."

"Gartner coined 'Web Exposure Management' to describe security risks from third-party applications: analytics, marketing pixels, CDNs, and payment tools. Each connection expands your attack surface; a single vendor compromise can trigger a massive data breach by injecting code to harvest credentials or skim payments. This risk is fueled by a governance gap, where marketing or digital teams deploy apps without IT oversight. The result is chronic misconfiguration, where over-permissioned applications are granted access to sensitive data fields they don't functionally need."