Google’s privacy team said it has discovered a two-year long vulnerability in the iPhone software.

The bug targeted a small number of websites. Simply visiting those pages could have left iPhone users susceptible to the breach and possibly affected thousands of users per week, Google Zero wrote in a number of blog posts on Thursday.

Visiting the unnamed sites allowed hackers to gain access to information including the ability to track movements via the phone’s GPS system, to obtaining passwords and being privy to sensitive conversations through iMessage and WhatsApp.

Earlier in August Apple’s top security engineer said the company would begin distributing special iPhones to researchers to help them discover flaws before malicious hackers do.

The bug-hunting hackers at Google reported the issue to Apple on Feb. 1 and, less than a week later, Apple updated its operating systems.

“All that users can do is be conscious of the fact that mass exploitation still exists and behave accordingly,” Ian Beer, a Project Zero researcher, wrote in a blog post. “Treating their mobile devices as both integral to their modern lives, yet also as devices which when compromised, can upload their every action into a database to potentially be used against them.”

Beer said attackers exploited fourteen different software flaws, including seven which targeted Safari, the Apple product’s built-in web browser. The cybercriminals could access various features on the phone, including those usually off-limits to users. This meant hackers could quietly install malware onto the device without the owner knowing.