Millions of people, including in India, use free version of Avast anti-virus to safeguard their devices from hackers and the news came as a shocker for them.
The joint investigation by Motherboard and PCMag found that "the sale of this data is both highly sensitive and is, in many cases, supposed to remain confidential between the company selling the data and the clients purchasing it".
In a statement shared with , Ondrej Vlcek, Global CEO of Avast said that in December 2019, the company acted quickly to meet browser store standards and are now compliant with browser extension requirements for our online security extensions.
"At the same time, we completely discontinued the practice of using any data from the browser extensions for any other purpose than the core security engine, including sharing with our subsidiary Jumpshot," said Vlcek.
The leaked documents accessed for the investigation were from a subsidiary of the antivirus giant called Jumpshot.
The Avast antivirus programme, installed on a person's computer, collected the browser history data, and Jumpshot repackaged it into various different products which were sold to big companies, said the investigation.
"Potential clients include Google, Yelp, Microsoft, McKinsey, Pepsi, Sephora, Home Depot, Conde Nast, Intuit, and many others".
Vlcek said it has ensured that Jumpshot does not acquire personal identification information, including name, email address or contact details.
"Users have always had the ability to opt out of sharing data with Jumpshot. As of July 2019, we had already begun implementing an explicit opt-in choice for all new downloads of our AV, and we are now also prompting our existing free users to make an opt-in or opt-out choice, a process which will be completed in February 2020," explained the Avast CEO.
In copies of contracts accessed with Jumpshot clients, one marketing firm paid over $2 million for data access last year.
According to the investigation, Avast also recorded "porn site visits that are anonymized, offered the date and time the user visited the sites, as well as search terms and viewed videos in some instances".
Multiple Avast users told Motherboard they were not aware that Avast sold browsing data, raising questions about how informed that consent is.
The investigation claimed that Avast is still harvesting the data, but via the anti-virus software itself, rather than the browser plugins - a claim denied by the company.
( With inputs from IANS )