The investigation incriminates a lot of big name companies. We don't know for certain which are past, present or potential clients, but the list includes Expedia, Intuit, Keurig, Condé Nast, Loreal and more. Microsoft said it doesn't have a current relationship with the company. Yelp said Jumpshot was "engaged on a one-time basis," and Google did not respond to Motherboard and PGMag's request for comment.

The data sold includes everything from Google searches, Google Maps location searches, activity on companies' LinkedIn pages, YouTube video visits and data on people visiting porn websites. The data is supposedly anonymized and does not include personal information, like names or contact info, but experts fear that it could be possible to de-anonymize certain users.

One product Jumpshot markets is an "All Clicks Feed," which tracks users' clicks across websites in precise detail. It's advertised as "Every search. Every click. Every buy. On every site." At least one customer, New York-based marketing firm Omnicom Media Group, signed up for the tool. According to Motherboard and PCMag, Omnicom paid Jumpshot $2,075,000 for access to data in 2019.

This isn't the first time Avast has run into data collection trouble. Just a couple months ago, Mozilla pulled Avast's Online Security and SafePrice extensions for Firefox, as well as Avast's AVG-branded equivalents, after they were found to be collecting much more data than necessary. Collecting and selling off this highly detailed info is especially troubling coming from Avast, a company whose primary function is to protect its users.

CORRECTION 1/28/2020 11:50AM ET: While Sephora was listed in the Motherboard/PCMag report, the company says it is not a client and has not worked with Avast or Jumpshot.