Are your websites leaking sensitive data? New research reveals that 45% of third-party apps access user info without proper authorization, and 53% of risk exposures in Retail are due to the excessive use of tracking tools. Learn how to uncover and mitigate these hidden threats and risks—download the full report here.
New research by web exposure management specialist Reflectiz reveals several alarming findings about the high number of website vulnerabilities organizations across many industries are needlessly exposing themselves to.
For instance, one standout statistic from the report is that 45% of third-party applications access sensitive user information without good reason. Although third-party apps may be essential for marketing and functionality purposes, not all of them need access to the kind of personal and financial user information that cybercriminals are hunting for. It’s safer to limit apps’ access to it on a need-to-know basis.
For the report, Reflectiz gathered its own proprietary data from the top 100 websites (according to number of site visits) in each industry, so the fact that close to half of all third-party apps in such a large sample are gathering sensitive user data when they don’t need to comes as a surprise.
The realization that this practice is so widespread will cause many website owners to wonder what other surprises might be lurking in their web ecosystems and how large their web exposure footprint really is. If there’s one thing that owners in any industry can take away from this report it’s that they are almost guaranteed to have unexpected unresolved vulnerabilities of their own. (And the chart below strongly suggests that they will…)
Sensitive Data Exposure
The chart below, taken from the report, shows that there is variation between industries when it comes to apps that can access sensitive user data. With that in mind, companies working in the Entertainment and Online Retail sectors may want to pay extra attention to how many of their apps are accessing sensitive data unnecessarily and increasing their web exposure.
If you aren’t familiar with the term web exposure, it was coined by Gartner to describe the range of risks that modern websites face because they connect with dozens of essential third-party apps, CDN repositories, and open source tools that help with tracking and functionality tasks. Each one increases the size of the attack surface and is a potential target for malicious actors, but although website owners cannot avoid using these connected assets, they can take steps to make each one safer. Checking that the third-party apps aren’t needlessly accessing users’ sensitive personal, financial, and health information is a good place to start for a quick win, but the report reveals many others.
For instance, it looks at app popularity as a risk factor:
It’s generally accepted that more popular apps are safer. This is based on the idea that if an app has been around for a long time and developed a sizable user base then user communities and security professionals will have reached an accurate conclusion about its reputation. They will know whether it’s robust and if its developers can be trusted to use modern coding practices, issue improvement updates, and quickly patch bugs. Less popular apps are more likely to be neglected and are at greater risk of compromise, so they shouldn’t be trusted to access personal user data. On that basis, a popular app is seen as less risky than one that appeared yesterday.
The chart above shows that:
- Leisure and Hospitality industry websites integrate an average of just over two unpopular apps.
- Online Retail and Entertainment include around one.
If owners haven’t established that these apps are safe, they would be best advised to disable them and use alternatives until they have. Taking simple steps like these will reduce their overall web exposure score.
Tracking Technologies
That said, even well-established third-party apps can increase an organization’s level of web exposure, particularly tracking apps, as the chart below shows:
The Facebook and TikTok pixels, for example, have been known to collect private user information after being misconfigured. This is why the research covers the prevalence of these and other tracking technologies on various industry websites, but an interesting thing about it (and about the Reflectiz data-gathering exercise that informed it) is the fact that the sheer number of trackers or pixels deployed doesn’t necessarily reveal the whole picture.
For instance, looking at the chart below it may seem that Publishing industry websites pose the greatest risk to user privacy because they average around 12 trackers each. While they might appear to offer twice as many data stealing opportunities to malicious actors as healthcare websites, with just under six trackers each, there are more factors to consider.
Although these findings should prompt publishers to review their use of tracking technologies because of the privacy risks, they should also take the chart below as a cue to ask where these pixels are being deployed and by whom. The report doesn’t just reveal potentially compromising practices, it also encourages businesses to appreciate the importance of context. In this case, the context includes what is being done, and which department is doing it:
The State of Web Exposure 2025 found that marketing and digital departments are more likely to instigate risk, such as tracking pixels in payment iFrames for no reason. This is an inherently more dangerous context than running a pixel on a page full of static images because if it’s modified by malicious actors, it has a better chance of stealing user payment data. (It may also be a riskier context than a healthcare website, which will tend to attract more attacks by malicious actors.) Therefore, a publishing business looking to reduce its overall web exposure should prioritize best-practice training for staff in its marketing department.
The Bottom Line
The report turns up many interesting insights: Entertainment industry websites experience almost twice as much malicious activity as Finance industry sites, for example. Education industry sites are exposed to high risk due to their overreliance on public content delivery networks. As such insights pile up, it becomes clear that companies across industries wishing to reduce their web exposure can’t take a one-size-fits-all approach. The context of the risk factors affecting them will shape their responses to them.
The report reveals that each industry faces a landscape of dynamically shifting risk variables, and the need to turn them into actionable priorities is what prompted Reflectiz to pioneer an innovative technology called Exposure Rating. It analyzes the huge number of data points it gathers from scanning millions of websites by considering each risk factor in context, adds them together to create an overall level of risk, and expresses this as a simple grade, from A to F, with added remediation advice. It’s an easy-to-understand way of identifying the security priorities for each organization, focusing their attention where it’s most needed, and benchmarking their performance against industry peers.
Download the full research report here.
