Three of Sega’s Android apps based on its popular character Sonic character violate user privacy and are open to man-in-the-middle attacks, security company Pradeo found.

Sonic Dash, Sonic Dash 2 and Sonic the Hedgehog Classic, downloaded by millions of users, access and leak geolocations and device data, the company said. They send this data to around 11 distant servers, three of which are uncertified.

“Among the distant servers reached by the affected Sega apps when sending data, we can see that most have a tracking and marketing purpose. However, what caught Pradeo’s researchers attention is the fact these apps are sending information to three uncertified servers of which two represent a potential threat,” the company said in a blog.

“Other vulnerabilities detected can result in denial of service, sensitive data leakage and clearly show encryption weaknesses,” the company added.