In the wake of the Facebook/Cambridge Analytica scandal, it’s easy to imagine that companies are now more careful when it comes to privacy matters—but it seems that isn’t the case. A bug on the website of phone tracking service LocationSmart allowed anyone to see the real-time location of US cell phone users, and without their consent.

LocationSmart aggregates the data of phones connected to AT&T, Sprint, T-Mobile, and Verizon, obtaining locations from nearby cell towers, KrebsOnSecurity reports. The company, which said it provides this service only for legitimate and authorized services, offered a demonstration of these tracking abilities on its website.

The free trial allowed a potential customer to type in a phone number, at which point that number would receive a consent text. Once the person replies with a “yes,” their location would be revealed. But an error in the API allowed anyone without a password or any other form of authentication to do a search, and the locations were revealed without people’s consent.

Carnegie Mellon University researcher Robert Xiao uncovered the bug. “I stumbled upon this almost by accident, and it wasn’t terribly hard to do. This is something anyone could discover with minimal effort,” he told Krebs. Xiao posted technical details of his find here.

Xiao said the error might have exposed around 200 million cell phone users in the US and Canada. The free demo has now been removed from the website.

LocationSmart founder and CEO Mario Proietti told Krebs: "We don't give away data. We make it available for legitimate and authorized purposes. It’s based on legitimate and authorized use of location data that only takes place on consent. We take privacy seriously, and we’ll review all facts and look into them.”

News of the bug came just five days after the New York Times story on prison telecom company Securus, a customer of LocationSmart. The publication revealed how a former police sheriff used the firm to get location data without a warrant.