Researchers have discovered a flaw in the iOS version of Mail that may have left countless iPads and iPhones vulnerable to data theft.

According to Reuters, the flaw was found by San Francisco-based ZecOps, a company specializing in mobile security forensics. The investigation was prompted by a sophisticated attack against one of ZecOps clients in late 2019.

ZecOps CEO, Zuk Avraham, “said he found evidence that a malicious program was taking advantage of the vulnerability in Apple’s iOS mobile operating system as far back as January 2018.” What makes the vulnerability particularly unsettling is that it requires little to no action on the part of the victim.

The hack works through a seemingly blank email that forces a crash and reset, Reuters reports, opening “the door for hackers to steal other data on the device, such as photos and contact details.” Not even recent versions of iOS protect a user, leaving the victim vulnerable to having their data remotely stolen from their device.

Apple did confirm to Reuters that a vulnerability does exist in Mail, and an upcoming software update would include a fix. While the fix is certainly good news, it’s worrisome that such a severe bug went undiscovered for so long while, at the same time, apparently being exploited by bad actors.