New Research Exposes Critical Gap: 64% of Third-Party Applications Access Sensitive Data Without Authorization

Reflectiz today announced the release of its 2026 State of Web Exposure Research, revealing a sharp escalation in client‑side risk across global websites, driven primarily by third‑party applications, marketing tools, and unmanaged digital integrations.

According to the new analysis of 4,700 leading websites, 64% of third‑party applications now access sensitive data without legitimate business justification, up from 51% last year — a 25% year‑over‑year spike highlighting a widening governance gap.

The report also exposes a dramatic surge in malicious web activity across critical public‑sector infrastructure. Government websites saw malicious activity rise from 2% to 12.9%, while 1 in 7 Education websites now show active compromise, quadrupling year‑over‑year. Budget constraints and limited manpower were cited as primary obstacles by public‑sector security leaders.

The research identifies several widely used third‑party tools as top drivers of unjustified sensitive‑data exposure, including Google ...