Are your websites leaking sensitive data? New research shows that 45% of third-party apps gain access to user information without proper permission, and 53% of retail risks are linked to overuse of tracking tools. Learn how to identify and mitigate these hidden threats and risks — download the full report here.
New research web exposure management specialist Reflectiz reveals some alarming findings about the large number of website vulnerabilities that organizations across many industries are needlessly exposed to.
For example, one great statistic from the report is this 45% of third-party applications access sensitive user information without a valid reason. While third-party apps may be important for marketing and functional purposes, not all of them need access to the kind of personal and financial user information that cybercriminals prey on. It’s safer to restrict program access to it as needed.
For the report, Reflectiz collected its own proprietary data from the top 100 websites (by site visits) in each industry, so the fact that nearly half of all third-party programs in such a large sample collect sensitive user data when they don’t need to is a surprise.
Realizing that this practice is so widespread will make many website owners wonder what other surprises may be lurking in their web ecosystems and how big their online exposure really is. If there’s one thing owners in any industry can take away this report it’s that they’re almost guaranteed to have their own unexpected unresolved weaknesses. (And the chart below shows convincingly that they will…)
Disclosure of confidential data
The chart below, taken from the report, shows that there are differences across industries when it comes to the programs that can access sensitive user data. With this in mind, companies operating in the entertainment and online retail sectors may want to pay extra attention to how many of their applications are unnecessarily accessing sensitive data and increasing their exposure online.
If you are not familiar with the term online exposureit was coined by Gartner to describe the range of risks facing today’s websites because they connect to dozens of major third-party software, CDN repositories, and open source tools that help with tracking and functionality tasks. Each of these increases the size of the attack surface and is a potential target for attackers, but while website owners cannot avoid using these related assets, they can take steps to make each of them more secure. Verifying that third-party apps aren’t gaining unwarranted access to users’ sensitive personal, financial, and health information is a good start to a quick win, but the report reveals a lot more.
For example, it considers app popularity as a risk factor:
It is generally accepted that more popular apps are more secure. This is based on the idea that if an app has been around for a long time and has built up a significant user base, then user communities and security professionals will come to an accurate conclusion about its reputation. They’ll know how reliable it is and whether its developers can be trusted to use modern coding practices, release improvements, and fix bugs quickly. Less popular apps are more likely to be ignored and are at greater risk of being hacked, so they shouldn’t be trusted to access users’ personal data. Based on this, the popular application is considered less risky than what appeared yesterday.
The diagram above shows that:
- Leisure and hospitality industry websites combine an average of just over two unpopular programs.
- Online shopping and entertainment include about one.
If owners haven’t confirmed that these apps are safe, it’s best for them to disable them and use alternatives until they do. Following these simple steps will lower your overall internet visit score.
Tracking technologies
However, even well-established third-party applications can increase an organization’s Internet access level, especially tracking applications, as shown in the table below:
Facebook and TikTok for example, pixels are known to collect sensitive user information after misconfiguration. That’s why the study covers the prevalence of these and other tracking technologies on various industry websites, but the interesting thing about it (and the Reflectiz data collection exercise that informed it) is that the large number of deployed trackers or pixels doesn’t necessarily indicate the whole picture.
For example, looking at the table below, it might seem that the websites of the publishing industry pose the greatest risk to user privacy, because each of them contains an average of about 12 trackers. While it may seem like they offer attackers twice as many opportunities to steal data as healthcare websites, with fewer than six trackers on each, there are more factors to consider.
While these findings should prompt publishers to reconsider their use of tracking technologies due to privacy risks, they should also take the table below as a prompt to ask where these pixels are being deployed and by whom. The report not only highlights potentially compromising practices, but also encourages businesses to appreciate the importance of context. In this case, the context includes what is being done and which department is doing it:
The State of Internet Impact 2025 found that marketing and digital departments were more likely to push for risks such as pixel tracking payment iFrames for no reason. This is an inherently more dangerous context than running a pixel on a page full of static images, because if it’s modified by an attacker, it has a better chance of stealing the user’s payment data. (This may also be a riskier context than a healthcare website, which tends to attract more attacks from attackers.) Therefore, a publishing company seeking to reduce its overall online presence should prioritize learning best practices for marketing department staff.
Bottom line
The report provides a lot of interesting information: websites in the entertainment industry experience almost twice as much malicious activity as websites in the financial industry, for example. Education industry sites are at high risk due to their over-reliance on public content delivery networks. As this kind of information accumulates, it’s becoming clear that there is no one-size-fits-all approach for companies in various industries that want to reduce Internet access. The context of the risk factors affecting them will determine their response to them.
The report shows that every industry faces a landscape of dynamically changing risk variables, and the need to translate these into actionable priorities is what prompted Reflectiz to develop an innovative technology called Exposure rating. It analyzes the vast number of data points it collects from scanning millions of websites, looking at each risk factor in context, adds them together to create an overall risk level, and expresses this as a simple grade from A to F with an additional by correcting the advice. It’s an easy-to-understand way to define security priorities for each organization, focus their attention where it’s most needed, and benchmark their performance against their industry peers.
Download the full version of the research report here.
