Researchers say cyberspies exploited security vulnerabilities to plant spyware on Apple iPhones when users merely visited a small group of malware-infected websites.

Sensitive data accessed included text messages, photos and real-time location. Security experts are calling the just-announced vulnerability, which Apple fixed in February, the worst yet affecting iPhones.

Google security researchers say thousands of iPhone users were exposed over more than two years before Apple issued a patch. They do not say who was behind the cyberespionage but experts say it has the hallmarks of a nation-state effort.

Google researcher Ian Beer says in a blog posted late Thursday that the discovery should dispel any notion that it costs a million dollars to successfully hack an iPhone.

Apple did not immediately respond to a request for comment.