New research finds most websites allow unnecessary access to sensitive data, while public-sector sites face a surge in malicious activity.
Boston, MA, USA, 22 January 2026 – Reflectiz has released its 2026 State of Web Exposure Research, and the findings point to a growing cybersecurity problem hiding in plain sight: client-side risk is rising fast across global websites, largely due to third-party apps, marketing technologies, and unmanaged online integrations.
Based on an analysis of 4,700 leading websites, the report found that 64% of third-party applications accessing sensitive data are doing so without a legitimate business reason. That figure is up from 51% last year, marking a major 25% year-over-year jump. The trend highlights what Reflectiz describes as a widening governance gap, where organizations struggle to track and control what outside tools are doing inside their websites.
Why client-side security is becoming harder to control
Client-side risk refers to threats that come from scripts and applications running in a user’s browser. These tools may power analytics, advertising, payments, chat features, and personalization, but they also create openings for data exposure if not properly managed.
According to the report, the biggest concern is not always an obvious cyberattack. Instead, it is the sheer number of third-party tools operating with too many permissions, collecting data that businesses did not intend to share.
This matters because even trusted tools can become risky when deployed carelessly, misconfigured, or connected to multiple unknown external domains.
Public-sector websites face a sharp rise in malicious activity
One of the most alarming takeaways from the 2026 research is the spike in malicious web activity affecting public-sector infrastructure.
Reflectiz reported that government websites saw malicious activity jump from 2% to 12.9%. Education websites were also hit hard, with around one in seven showing signs of active compromise, quadrupling year-over-year. Public-sector security leaders cited limited manpower and tight budgets as major reasons these threats are becoming harder to fight.
This increase suggests attackers are paying closer attention to public-facing websites that may not have the staffing or tools needed for continuous monitoring.
Common third-party tools are linked to sensitive data exposure
The report points to widely used third-party platforms as major drivers of unnecessary sensitive-data access. Tools such as Google Tag Manager, Shopify, and Facebook Pixel were frequently flagged for being over-permissioned or deployed without enough controls.
Reflectiz noted that these tools are not necessarily “bad” by design, but they can become high-risk when teams install them quickly, skip scoping reviews, or fail to limit what data they can access.
Payment pages and marketing scripts are a major weak spot
The research also found that checkout environments carry significant exposure risks. According to the report, 47% of applications running in payment frames are unjustified, meaning they operate in highly sensitive payment areas without a clear business need.
This is especially concerning because payment pages are prime targets for cybercriminals, and even small weaknesses can lead to serious consequences such as data leaks or fraud.
Reflectiz also found that compromised websites tend to show very clear technical patterns. These sites connect to 2.7 times more external domains, load twice as many trackers, and use recently registered domains 3.8 times more often than clean sites. In simple terms, hacked or risky websites usually “talk” to far more unknown places on the internet than secure ones.
Another notable finding is how much risk is linked to business functions outside traditional security teams. Marketing and digital departments were connected to 43% of overall third-party risk, reflecting how advertising, analytics, and conversion tools can unintentionally expand a website’s attack surface.
Only one website earned a perfect security benchmark score
Reflectiz also released updated Security Leadership Benchmarks in the report, outlining eight criteria for strong web exposure control. Only one website, ticketweb.uk, achieved a perfect score across all eight categories, showing how rare it is for organizations to fully manage these risks end-to-end.
What the 2026 web exposure report includes
Reflectiz said the report offers detailed sector-by-sector breakdowns of web exposure risk, a full list of high-risk third-party applications, year-over-year trends, and technical indicators that may signal a compromise. It also includes best-practice controls meant to help both security teams and digital teams reduce unnecessary data access and tighten governance.
As websites become more dependent on third-party scripts and tools, this research suggests that cybersecurity is no longer just about protecting servers or networks. The biggest threats may increasingly come from what runs directly inside the browser and from integrations organizations may not even realize are collecting sensitive information.