A cell phone tracking company unintentionally leaked the real-time locations of millions of Americans due to a bug on their website.

According to ZDNet, the company, which has “direct connections” to “all major US wireless carriers, including AT&T, Verizon, T-Mobile, and Sprint,” allowed exploiters to track cell phone location in real-time without their permission.

“The site had its own ‘try-before-you-buy’ page that lets you test the accuracy of its data. The page required explicit consent from the user before their location data can be used by sending a one-time text message to the user,” ZDNet reported. “But that website had a bug that allowed anyone to track someone’s location silently without their permission.”

Student Robert Xiao claimed that “Due to a very elementary bug in the website, you can just skip that consent part and go straight to the location.”

Journalist Brian Krebs, who also verified the bug, detailed how he was able to watch people move around in real-time.

“None of them got any notification that their location was being tracked,” Krebs proclaimed. “I had a friend who was driving around Hawaii and pinged the location and I could watch the marker move around the island… It’s the kind of thing that sends chills down your spine.”

Though the feature was removed shortly after the bug was discovered, ZDNet explained that the company effectively “exposed nearly every cell phone customer in the US and Canada, some 200 million customers.”