WWE appears to have made a mistake in handling the personal data offered up by 3 million of its fans, possibly when subscribing to the sports entertainment company’s eponymous online network.

According to Forbes, the sports entertainment company stored key personal information, including addresses, educational background, earnings and ethnicity, on an unsecured server that, until this week — when the breach was discovered by a security firm — anyone could’ve accessed.

“It’s unfortunate by being a WWE fan, you’re now part of a data breach,” Joseph Lorenzo Hall, chief technologist at the Center for Democracy & Technology, told Forbes.

While it was Bob Dyachenko of the security firm Kromtech who discovered and alerted WWE of the breach on July 4, Hall questioned the ethical implications of some of the data WWE appears to have been collecting, including ethnicity, which has been controversially used in the past to target advertisements online according to race.

In its response to Forbes, WWE did not detail why it had been collecting certain information, nor did the company confirm whether the data came from a list of WWE Network subscribers as Dyachenko suggested. The company did, however, confirm the breach, which left data unsecured on an Amazon Web Services S3 server. (Jeffrey P. Bezos, the chief executive of Amazon, owns The Washington Post.)

“Although no credit card or password information was included, and therefore not at risk, WWE is investigating a potential vulnerability of a database housed on a third party platform,” a spokesperson told Forbes.

WWE has reportedly since locked down the data and said that it is working with “leading cyber security firms to proactively protect” customer data and future leaks.