A flaw in Kaspersky Antivirus put millions of users at risk by making it possible for websites to track the online activity of users without their consent, a security journalist has discovered. The software contained a module that injected JavaScript code onto web pages visited by Kaspersky users. The code contained a unique ID number for each individual device, which could be read by other scripts running on the domain, thereby allowing websites to track Kaspersky users via this ID.

Websites could even track users if they were browsing in incognito mode or deleted browser cookies after every session. After the security researcher disclosed the issue to Kaspersky, the company abandoned the unique identifiers, admitting that those “can potentially lead to the disclosure of a user’s personal information.” However, the company argues that while “such scenarios of user’s privacy compromise are theoretically possible,” they “are unlikely to be carried out.

Read more: Kaspersky Antivirus flaw leaves millions open to online hack