Avast, a commonly used and trusted antivirus that is installed in over 435 million devices worldwide has been reportedly harvesting personal user data and selling it to major companies including Google and Microsoft.

The report comes from a joint investigation carried out by PCMag and Motherboard that uncovers leaked company documents obtained through one of Avast’s subsidiary companies, Jumpshot. It reveals that Avast has been harvesting personal user data through browser plugins and has been selling it to third party clients.

The list of client names includes several industry giants such as Google, Yelp, Microsoft, McKinsey, Pepsi, Sephora, Home Depot, Conde Nast, Intuit, and many others. Some of these clients paid millions of dollars in exchange for information on what consumers are buying and when.

Although the data was aggregated and personal details were kept confidential, privacy experts agreed that the timestamp information, persistent device IDs, and the collected URLs could easily be combined with other data to link back to a user’s personal identification.

Ever since the report has gone public, Avast has stopped providing user data collected through its browser extensions and has come under a lot of flak regarding user privacy.

It is currently unknown whether Avast is also doing so through its antivirus software as well, but investigation on that is underway.