Google researchers found a security hole in iOS, the software for iPhone and iPad, which wasn't patched for at least two years. The problem was rapidly patched by Apple earlier this year when the issue was drawn to its attention.
There's plenty of information about the exploit from UK-based Ian Beer of Google's Project Zero Team available on the Project Zero blog, but essentially there was a problem with the Safari default browser.
When you visited one of a small group of malicious websites, the exploit would monitor activity on your phone and enable the site to suck up personal information.
"There was no target discrimination," says the post. "Simply visiting the hacked site was enough for the exploit server to attack your device, and if it was successful, install a monitoring implant."
Beer estimates the malicious sites receive thousands of visitors per week.
Even though the issue was patched immediately by Apple, it highlights how issues like this can slip through even the most stringent testing. It also shows why you should always update to the latest versions of the software on your devices.