TechTarget and Informa Tech’s Digital Business Combine. TechTarget and Informa TechTarget and Informa Tech’s Digital Business Combine. Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise Newsletter Sign-Up Newsletter Sign-Up Cybersecurity Topics Related Topics Application Security Cybersecurity Careers Cloud Security Cyber Risk Cyberattacks & Data Breaches Cybersecurity Analytics Cybersecurity Operations Data Privacy Endpoint Security ICS/OT Security Identity & Access Mgmt Security Insider Threats IoT Mobile Security Perimeter Physical Security Remote Workforce Threat Intelligence Vulnerabilities & Threats Recent in Cybersecurity Topics Cyber Risk Meta, TikTok Steal Users' Sensitive PII When They Click on Ads Meta, TikTok Steal Users' Sensitive PII When They Click on Ads by Nate Nelson Mar 18, 2026 6 Min Read Application Security GlassWorm Malware Evolves to Hide in Dependencies GlassWorm Malware Evolves to Hide in Dependencies by Alexander Culafi Mar 16, 2026 4 Min Read World Related Topics DR Global Middle East & Africa Asia Pacific Latin America Recent in World See All Application Security Real-Time Banking Trojan Strikes Brazil's Pix Users Real-Time Banking Trojan Strikes Brazil's Pix Users by Alexander Culafi Mar 13, 2026 4 Min Read Threat Intelligence Iran's Cyber-Kinetic War Doctrine Takes Shape Iran's Cyber-Kinetic War Doctrine Takes Shape by Alexander Culafi Mar 6, 2026 4 Min Read The Edge DR Technology Events Related Topics Upcoming Events Podcasts Webinars SEE ALL Resources Related Topics Resource Library Newsletters Podcasts Reports Videos Webinars White Papers Partner Perspectives Dark Reading Resource Library Cyber Risk Data Privacy Cybersecurity Operations Application Security News Meta, TikTok Steal Users' Sensitive PII When They Click on Ads Tracking pixels let social media companies spy on their own customers when they click over to advertiser sites, gleaning credit card info, currency type, and more. Nate Nelson , Contributing Writer March 18, 2026 6 Min Read Source: Shotshop GmbH Social media companies are weaponizing ad tracking pixels to collect extensive personal information about users when they visit advertisers' websites, even if those users expressly request that those sites do not share their data. Cybersecurity professionals call software programs infostealers when they steal victims' information — like their personally identifying information (PII), credit card details, and more — without their consent. Then, usually, hackers will use that information to make money. By that definition, if new research from Jscrambler is to be believed, the two most prolific information stealing operations on the planet are not nominally cybercriminal; they're legal corporations like Meta and TikTok . "The main difference between pixel scripts and 'real' infostealers is that pixel scripts have a privacy policy and some configuration settings, so the description isn't far off," says Jscrambler head of security research Gareth Bowker. The world's largest social media companies use the guise of advertising analytics to exfiltrate sensitive information about anyone who clicks ads on their platforms. Not only is the extent of it gluttonous — full names, locations, credit card numbers, behavioral data, and much more — but according to the cybersecurity company's report, it happens regardless of the victim's explicitly defined data sharing preferences. That, the researchers argue, could be a serious violation of multiple data privacy laws, not just by Meta and TikTok, but by any advertisers that consent to run these malicious scripts. Related: Cyberattackers Don't Care About Good Causes Dark Reading reached out to both Meta and TikTok for comment on this story. Both companies responded, but neither provided comment as of the time of publication. Meta, TikTok Spy on Their Users To make the most out of their social media marketing, many companies are willing to sign a deal with the devil. Beside just paying companies like Meta and TikTok to run their ads, they'll also incorporate those companies' tracking pixels into their own websites, which scoop up user data helpful for tracking the results of those ad campaigns. According to W3Techs, 9% of all websites run the Meta pixel, and 0.7% the TikTok pixel . Tracking pixels are snippets of Javascript code linked to transparent, single-pixel images injected into a website. Whenever a site loads the invisible image, the script runs and exfiltrates the user's data to the service provider's servers. The service provider then packages this data into profiles of individual Web surfers, and uses it to allow advertisers to perform more invasive microtargeting. Because website owners consent to this arrangement, and because social media users blindly accept interminable-by-design privacy policies, it's widely considered controversial, if short of malicious. Related: Why Post-Quantum Cryptography Can't Wait Both parties should be aware, though, that Meta and TikTok's pixels siphon a whole lot more than some narrow range of advertising-related data, including: PII: First and last names, email addresses, phone numbers, locations, and other identifying details. Credit card details: last four digits, expiration dates, and cardholder names. Granular shopping flow information: Names, prices, and quantities of the products users shop for, currency used to pay for them, and the total values of their carts. Plus, specific actions they performed in the shopping process, such as clicking to add items to their carts or entering their payment information. Meta goes one step further than TikTok here, recording the structure of advertisers' checkout forms and buttons. And that's not all. The Meta and TikTok pixels run irrespective of the user's decision to accept, reject, or customize how websites use their information. In fact they run before that choice is even presented to the user — as soon as they first load the site. The consent banner option "Do Not Share My Personal Information," is fait accompli , like the plastic steering wheel parents give their children so they can pretend to drive the car. Related: What Orgs Can Learn From Olympics, World Cup IR Plans Advertisers Left Holding the Bag The Meta and TikTok pixels are configurable, so advertisers are able to adjust what information they collect. Obviously, both collect as much information as possible out of the box, and are most profitable to Meta and TikTok when left untouched. Bowker argues that it's not fair for Meta and TikTok to put all the burden on their customers. "While some responsibility lies with the businesses using these tracking pixels, we also see that TikTok and Meta's pixels are built to collect as much data as possible, while relying on terms, implementation guidance, and limited guardrails to make that collection defensible," he says. "Many companies do not fully understand or review the third-party tools they place on sensitive parts of their websites," he laments. As a result, "Businesses risk losing customer trust, damaging their reputation, creating compliance problems, and exposing their websites to unnecessary third-party risk. It also poses competitive risks by potentially feeding pricing, buying behavior, and other proprietary business flows into TikTok and Meta's global advertising algorithms, which could benefit rivals that also use the platforms for targeting and advertising. Companies should be frustrated not only with the vendors, but also with their own failure to properly assess and limit these tools." The fact that advertisers have configuration options, which they might not be exercising, also exposes them to legal threats. Companies That Consent Face Legal Risk The consequences of Meta and TikTok's wanton data theft will fall not on them, but on their users and their advertisers. General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) violations are already baked into social media companies' business models. At Meta, annual multi - hundred - million - dollar GDPR fines are eclipsed only by the money it earns by breaking all those rules in the first place. The companies that consent to run their trackers, however, haven't necessarily anticipated and budgeted for the legal risks they may have incurred for having agreed to run tracking pixels, and for having failed to adequately rein them in. In response to an inquiry from Dark Reading, a TikTok spokesperson emphasized that advertisers are responsible for configuring the TikTok Pixel to comply with their local laws. "Businesses decide what events and parameters they send through their pixel implementation. Any data received via advertising integrations is limited to what partners intentionally configure and send," they wrote. They added that, when it comes to users, "We offer people tools to access, manage, and delete information associated with their accounts, and advertisers are expected to configure their implementations in ways that respect user choices and applicable privacy obligations." Dark Reading also contacted Meta for this story. Meta responded, but didn't provide comment as of the time of publication. For a glimpse into their futures, Meta and TikTok advertisers might look to the class action lawsuit filed against Mass General Brigham and its affiliated hospitals, including the famed Dana-Farber Cancer Institute, some years back. In that case, visitors to these hospitals' websites argued that they weren't adequately informed that third-parties were using tracking pixels and cookies to collect and monetize their personal and health-related online behaviors. In 2021, Mass Genera