Thousands of iPhone users per week have been subject to an unprecedented 2.5-year hacking operation which was finally disrupted in January, according to researchers at Google's external security team and reported by The Guardian.
iPhone users who visited a 'small collection of hacked websites' would then be subject to a malware download.
Users were compromised simply by visiting the sites: no interaction was necessary, and some of the methods used by the hackers affected even fully up-to-date phones. -The Guardian
After becoming infected, the hackers had access to a user's location, keychain (containing all their passwords), chat histories on popular apps such as iMessage, WhatsApp and Telegram, their address book, and their Gmail database.
As the Guardian notes, the silver lining to the hack is that once a user's phone was restarted, the hack became inactive unless the user went back to a compromised site. That said, according to Google security researcher Ian Beer "Given the breadth of information stolen, the attackers may nevertheless be able to maintain persistent access to various accounts and services by using the stolen authentication tokens from the keychain, even after they lose access to the device."
A total of 14 bugs were found across five different "exploit chains" for this particular iOS attack, allowing a hacker to 'hop' from exploit to exploit, increasing their grip on a user's information each time.
"This was a failure case for the attacker," said Beer - a member of Google's white-hat hacking group, Project Zero. "For this one campaign that we’ve seen, there are almost certainly others that are yet to be seen."
"All that users can do is be conscious of the fact that mass exploitation still exists and behave accordingly; treating their mobile devices as both integral to their modern lives, yet also as devices which when compromised, can upload their every action into a database to potentially be used against them."
Google reported their findings to Apple on February 1, after which the company released a patched OS update six days later.