Meta, TikTok and thousands of major websites are found swiping data you enter on forms—even if you don’t hit submit
When we enter our email addresses on a website, to do anything from registering an account, buy a ticket, or subscribe to a newsletter, we might assume that the data won’t go anywhere until we hit the Enter button.
But new research indicates that this is not the case. After analyzing more than 100,000 websites, researchers from KU Leuven, Radboud University, and the University of Lausanne found that a staggering number of websites covertly collect everything typed into an online form even if users change their minds and leave the site without submitting.
The study, which used software mimicking a real user—visiting web pages and filling in login or registration pages without submitting—found that 1,844 websites in the EU had gathered the email addresses without the user’s consent. In the U.S., it was even worse, with 2,950 U.S. sites doing the same.
“It certainly exceeded our expectations by a lot,” says Güneş Acar, a professor and researcher at Radboud University, who explained that his team initially thought they would find just a couple hundred sites taking the user data.
“Based on our findings, users should assume that the personal information they enter into web forms may be collected by trackers—even if the form is never submitted,” the authors added.
While in some cases the websites themselves were collecting the data before submission, the study looked solely at data gathered by third-party advertising and marketing services like Taboola, Bizible, and Glassbox digital, which are incorporated into websites to monetize content.
This kind of data collection is similar to that of keylogging—in which a malware program logs everything a user types, often to steal passwords or other confidential information.
But while keylogging is a relatively rare type of malware, the practice of logging email addresses is not.
The top websites by traffic where email addresses were collected by tracker domains in the U.S. included well-known brands such as USAToday, Time, Fox News, and Trello, the study’s authors found.
In the EU, Newsweek, Shopify, and Marriott also appeared on the list.
The researchers also found a startling 52 websites where third parties, too, were collecting password data before submission.
The group said in the study it has since informed the sites that collected passwords and all instances have been resolved.
After publishing the study, the researchers also discovered that Meta and TikTok were also using their own invisible marketing trackers to collect data from other web pages as well.
Websites that had used the Meta Pixel or TikTok Pixel—snippets of code that allow website domains to track visitor activity—had an “automatic advanced matching” feature turned on, allowing the social media platforms to take data from the advertiser’s websites.
When inputting an email address on the page that had Meta Pixel in place, clicking on most buttons or links that took users away from that page resulted in personal data being taken by Meta or TikTok, researchers found.
“Documentation we looked together with Asuman claims that [Meta] only collect this data when users click Submit, but we’ve looked into their code and they were collecting all clicks to any button, any link on the page,” says Acar.
For U.S. users, 8,438 sites may have been leaking data to Meta through its Pixel, while 7,379 sites may have been impacted for EU users.
Meta did not immediately respond to Fortune‘s request for comment on the findings.
“Considering its scale, intrusiveness and unintended side effects, the privacy problem we investigate deserves more attention from browser vendors, privacy tool developers, and data protection agencies,” the authors cautioned in the study.
Sign up for the Fortune Features email list so you don’t miss our biggest features, exclusive interviews, and investigations.