It’s not every day that consumers find themselves wrapped up in a web of international cyber espionage. But that’s what seems to have happened following recent reports that the home computer of a National Security Agency contractor was hacked by Russian agents using Kaspersky antivirus software that’s supposed to protect consumers from harm.

The incident occurred in 2015 but was first reported by The Wall Street Journal and The New York Times earlier this month. Further reports added details implying that the vulnerability to Kaspersky’s software could have been massive in scale.

According to an article in The New York Times on Wednesday, the NSA investigated after Israeli government hackers informed U.S. officials that software sold by Kaspersky Lab was being used to comb computers worldwide for classified material. The company is based in Russia, and sources in the same new reports suggest that Kaspersky Lab personnel were aware of the hacking and actually assisted with it.

As you might expect with an incident involving the security agencies of three governments, there are as many questions as answers about just what happened. No evidence so far indicates that data was stolen from ordinary consumers who had Kaspersky antivirus software on their computers.

However, Kaspersky security software affects millions of computer users around the world, according to the company’s marketing materials. Even though consumers apparently weren’t the main targets, it seems that many home computers may have been searched for information of potential interest to Russian spy agencies. 

In an emailed statement, Kaspersky Lab called allegations that it helped Russian intelligence “unfounded” and added that the company “was not involved in and does not possess any knowledge of the situation in question, and the company reiterates its willingness to work alongside U.S. authorities to address any concerns they may have about its products as well as its systems.”

What If You Use Kaspersky Software?

It’s not clear whether Kaspersky software poses a threat to consumers’ computers, but security experts, including those who used to work for the U.S. government, say there is reason for concern.

“It’s a big deal,” says Blake Darché, a former NSA cybersecurity analyst and the founder of the cybersecurity firm Area 1. “For any consumers or small businesses that are concerned about privacy or have sensitive information, I wouldn’t recommend running Kaspersky.”

By its very nature antivirus software is an appealing tool for hackers who want to access remote computers, security experts say. Such software is designed to scan a computer comprehensively as it searches for malware, then send regular reports back to a company server. 

“One of the things people don’t realize, by installing that tool you give [the software manufacturer] the right to pull any information that might be interesting,” says Chris O’Rourke, another former NSA cybersecurity expert who is the CEO of cybersecurity firm Soteria. “As a consumer you have to think ‘What am I giving away when I sign up and use this software?’”

Consumer Reports included Kaspersky Internet Security 2017 in its testing of antimalware packages, and the product did well in such tasks as blocking access to phishing sites and protecting PCs from malware loaded on devices plugged into USB ports. We have not independently tested the software for its vulnerability to this kind of attack. Consequently, we have not changed its recommended status in our ratings. However, we will continue to monitor this developing story.

Consumer Reports is currently devoting more resources to security testing and is working with outside partners to develop better standards for digital products.  

Consumers who use Kaspersky products now but would like to make a change have a number of options. Consumer Reports recommends security packages from several companies, including AVG, Avira, G Data, and Symantec.

In the past, it could be difficult to uninstall antimalware software, but that’s no longer true, according to Consumer Reports tester Rich Fisco. “You run the uninstaller, wait for it to say that it’s done, and then reboot your computer.” Fisco notes that Windows Defender Antivirus, which is built into Windows 10, is a different story: “You can disable it, but you can’t uninstall it.”

Some laptops come preloaded with Kaspersky antivirus software. With these machines you uninstall the software the same way. However, O'Rourke says, if you ever reinstall the operating system from a disk or USB recovery drive, it’s likely that the Kaspersky software would be reinstalled along with the rest of the operating system.

Retailers Offering Help

Concerns over Kaspersky software have been building. Last month, the Department of Homeland Security issued an order—officially called a binding operational directive [BOD]—to federal agencies to remove Kaspersky software from government computers within 90 days.

“Kaspersky antivirus products and solutions provide broad access to files and elevated privileges on the computers on which the software is installed, which can be exploited by malicious cyber actors to compromise those information systems,” the DHS wrote in the order, citing concerns “about the ties between certain Kaspersky officials and Russian intelligence.”  

The United States Computer Emergency Readiness Team, or US-Cert, the Homeland Security division charged with assessing cyberthreats, didn’t respond to questions about the safety of Kaspersky antivirus software for consumers. 

In response to worries among consumers, the Best Buy electronics chain stopped selling Kaspersky products in mid-September. The retailer is letting consumers who had already purchased Kaspersky software and had an active subscription to exchange it free of charge for 45 days. And if customers don’t want to uninstall the software themselves, one of Best Buy’s Geek Squad agents will do it free within that time window.

Office Max and Office Depot also pulled the software from sale. Those companies offered to uninstall Kaspersky software free of charge, regardless of where it was purchased, run a virus scan on the computer, and replace the software with McAfee LiveSafe antivirus software with a year’s license free.

Politicians are reacting to this week’s revelations. “Recent developments should serve as a stark warning, not just to the federal government, but to states, local governments, and the American public, of the serious dangers of using Kaspersky software,” New Hampshire Senator Jeanne Shaheen says. “The strong ties between Kaspersky Lab and the Kremlin are extremely alarming and have been well-documented for some time.”