Meta, TikTok Steal Personal & Financial Info When Users Click Ads

CYBER RISK DATA PRIVACY CYBERSECURITY OPERATIONS APPLICATION SECURITY NEWS Meta, TikTok Steal Personal & Financial Info When Users Click Ads Tracking pixels let social media companies spy on their users even after they click over to advertiser sites, gleaning credit card info, geolocations, and more. Nate Nelson,Contributing Writer March 18, 2026 6 Min Read SOURCE: SHOTSHOP GMBH UPDATE Social media companies are weaponizing ad tracking pixels to collect extensive personal information about users when they visit advertisers' websites, even if those users expressly request that those sites do not share their data. Cybersecurity professionals call software programs infostealers when they steal victims' information — like their personally identifying information (PII), credit card details, and more — without their consent. Then, usually, hackers will use that information to make money. By that definition, if new research from Jscrambler is to be believed, the two most prolific information stealing operations on the planet are not nominally cybercriminal; they're legal corporations like Meta and TikTok. "The main difference between pixel scripts and 'real' infostealers is that pixel scripts have a privacy policy and some configuration settings, so the description isn't far off," says Jscrambler head of security research Gareth Bowker. The world's largest social media companies use the guise of advertising analytics to exfiltrate sensitive information about anyone who clicks ads on their platforms. Not only is the extent of it gluttonous — full names, locations, credit card numbers, behavioral data, and much more — but according to the cybersecurity company's report, it happens regardless of the victim's explicitly defined data sharing preferences. That, the researchers argue, could be a serious violation of multiple data privacy laws, not just by Meta and TikTok, but by any advertisers that consent to run these malicious scripts. Related:Cyberattackers Don't Care About Good Causes In a statement to Dark Reading, a Meta spokesperson characterized Jscrambler's report as self-promotional clickbait. Without addressing any specific findings, they argued that it "misrepresents standard digital ad practices and how the Meta Pixel works — and ignores Meta’s privacy controls and that our policies prohibit sharing sensitive data with us." Meta, TikTok Spy on Their Users To make the most out of their social media marketing, many companies are willing to sign a deal with the devil. Beside just paying companies like Meta and TikTok to run their ads, they'll also incorporate those companies' tracking pixels into their own websites, which scoop up user data helpful for tracking the results of those ad campaigns. According to W3Techs, 9% of all websites run the Meta pixel, and 0.7% the TikTok pixel. Tracking pixels are snippets of Javascript code linked to transparent, single-pixel images injected into a website. Whenever a site loads the invisible image, the script runs and exfiltrates the user's data to the service provider's servers. The service provider then packages this data into profiles of individual Web surfers, and uses it to allow advertisers to perform more invasive microtargeting. Because website owners consent to this arrangement, and because social media users blindly accept interminable-by-design privacy policies, it's widely considered controversial, if short of malicious. Related:Why Post-Quantum Cryptography Can't Wait Both users and advertisers should be aware, though, that Meta and TikTok's pixels siphon a whole lot more than some narrow range of advertising-related data, including: PII: First and last names, email addresses, phone numbers, locations, and other identifying details. Credit card details: last four digits, expiration dates, and cardholder names. Granular shopping flow information: Names, prices, and quantities of the products users shop for, currency used to pay for them, and the total values of their carts. Plus, specific actions they performed in the shopping process, such as clicking to add items to their carts or entering their payment information. Meta goes one step further than TikTok here, recording the structure of advertisers' checkout forms and buttons. Related:What Orgs Can Learn From Olympics, World Cup IR Plans And that's not all. According to Jscrambler, the Meta and TikTok pixels run irrespective of the user's decision to accept, reject, or customize how websites use their information. In fact they run before that choice is even presented to the user, as soon as they first load the site, in apparent violation of data privacy laws. The consent banner option "Do Not Share My Personal Information," is fait accompli, like the plastic steering wheel parents give their children so they can pretend to drive the car. Advertisers Left Holding the Bag The Meta and TikTok pixels are configurable, so advertisers are able to adjust what information they collect. Obviously, both collect as much information as possible out of the box, and are most profitable to Meta and TikTok when left untouched. Bowker argues that it's not fair for Meta and TikTok to put all the burden on their customers. "While some responsibility lies with the businesses using these tracking pixels, we also see that TikTok and Meta's pixels are built to collect as much data as possible, while relying on terms, implementation guidance, and limited guardrails to make that collection defensible," he says. "Many companies do not fully understand or review the third-party tools they place on sensitive parts of their websites," he laments. As a result, "Businesses risk losing customer trust, damaging their reputation, creating compliance problems, and exposing their websites to unnecessary third-party risk. It also poses competitive risks by potentially feeding pricing, buying behavior, and other proprietary business flows into TikTok and Meta's global advertising algorithms, which could benefit rivals that also use the platforms for targeting and advertising. Companies should be frustrated not only with the vendors, but also with their own failure to properly assess and limit these tools." The fact that advertisers have configuration options, which they might not be exercising, also exposes them to legal threats. Companies That Consent Face Legal Risk The consequences of Meta and TikTok's wanton data theft will fall not on them, but on their users and their advertisers. General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) violations are already baked into social media companies' business models. At Meta, annual multi-hundred-million-dollar GDPR fines are eclipsed only by the money it earns by breaking all those rules in the first place. The companies that consent to run their trackers, however, haven't necessarily anticipated and budgeted for the legal risks they may have incurred for having agreed to run tracking pixels, and for having failed to adequately rein them in. In response to an inquiry from Dark Reading, a TikTok spokesperson emphasized that advertisers are responsible for configuring the TikTok Pixel to comply with their local laws. "Businesses decide what events and parameters they send through their pixel implementation. Any data received via advertising integrations is limited to what partners intentionally configure and send," they wrote. They added that, when it comes to users, "We offer people tools to access, manage, and delete information associated with their accounts, and advertisers are expected to configure their implementations in ways that respect user choices and applicable privacy obligations." For a glimpse into their futures, Meta and TikTok advertisers might look to the class action lawsuit filed against Mass General Brigham and its affiliated hospitals, including the famed Dana-Farber Cancer Institute, some years back. In that case, visitors to these hospitals' websites argued that they weren't adequately informed that third-parties were using tracking pixels and cookies to collect and monetize their personal and health-related online behaviors. In 2021, Mass General and Dana-Farber agreed to an $18 million settlement — not because they themselves spied on their visitors, or because anyone was harmed, but because users weren't made aware of how their data was being collected. "Where businesses are aware of the potential pitfalls," Bowker says, "and they fail to review, restrict, or remove them, then they leave their business open to risk, especially when there are established laws designed to protect individuals' privacy, and those laws are broken." This article was updated around 9:45 AM ET with a statement from Meta. About the Author Nate Nelson Contributing Writer Nate Nelson is a journalist and scriptwriter. He writes for "Darknet Diaries" — the most popular podcast in cybersecurity — and co-created the former Top 20 tech podcast "Malicious Life." Before joining Dark Reading, he was a reporter at Threatpost. More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report The ROI of AI in Security Cybersecurity Forecast 2026 ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like CYBER RISK US Cyber Pros Plead Guilty Over BlackCat Ransomware Activity by Alexander Culafi JAN 05, 2026 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 CYBER RISK Why Data Privacy Isn't the Same as Data Security by Chris Borkenhagen APR 10, 2025 CYBER RISK Nation-State Groups Abuse Microsoft Windows Shortcut Exploit by Alexander Culafi, Senior News Writer, Dark Reading MAR 19, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ CYBER RISK What Orgs Can Learn From Olympics, World Cup IR Plans byTara Seals MAR 12, 2026 THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE