Thousands of iPhone users may have had their devices hacked by malicious code found in a handful of websites, according to security researchers with Google.

The security vulnerability has been revealed through a new blog post from Google’s Project Zero team member Ian Beer. The post describes a small group of websites that were likely visited thousands of times a week; when users visited the sites on iPhone browsers, malicious code on the sites would seek to gain access to their iPhone devices, and, if successful, install code that would enable the theft of files and the monitoring of location data.

Users could eliminate the implanted code by rebooting their iPhones. But arguably the most serious security threat of the attack is that the malware was designed to try to access the iPhone’s Keychain system, which can contain sensitive information including passwords to various online accounts as well as databases of encrypted messaging apps like WhatsApp and Apple’s iMessage. In cases where the Keychain was compromised, hackers could theoretically still have this sensitive data even after users rebooted their iPhones.

Google’s researchers warned Apple about the security vulnerability in February, and Apple addressed it in an iPhone software update shortly thereafter. But with Google’s Beer noting that the security vulnerabilities affected iOS versions 10 through 12, it’s possible that related hack attacks were being undertaken over the course of two years.

In reporting on the Project Zero post, Motherboard asserts that this security issue may represent one of the largest attacks against iPhone users in the product line’s history.

For Apple, the security vulnerability’s revelation is especially embarrassing given the company’s emphasis on strong security and privacy protections for its devices’ users. And it both highlights and undercuts the value of the kind of sophisticated biometric security measures that Apple has implemented for user authentication: On the one hand, a 3D facial recognition system like the iPhone’s Face ID offers no protection against malware designed to quietly infect the device while it’s in use; yet at the same time, Face ID and other forms of biometric authentication can help to keep digital accounts secure even if the passwords in a user’s Keychain have been compromised.

For his part, Google’s Beer is no Pollyanna on iPhone security, asserting in his post that “for this one campaign that we’ve seen, there are almost certainly others that are yet to be seen.”

Sources: Project Zero, Motherboard, The Verge