Apple has deleted hundreds of apps from the App Store after a security firm discovered they were harvesting private user data such as email addresses and device IDs.

A group of apps that used a third-party software interface to display advertising have been inadvertently routing private data to servers owned by Chinese ad platform Youmi, who made and distributed the code to developers for use in their apps. This is of course in violation of Apple’s user-protecting privacy policy. It’s unlikely the developers themselves had any knowledge of what was taking place.

A full list of culprits has yet to be announced, but most (if not all) of the 256 offending apps originate from the Chinese App Store – much like last month’s XcodeGhost fiasco – and wouldn’t have been available to iPhone users from America and Europe. So you can breathe a little easier if you’re based in the West.

Still, it shows a slightly worrying lapse of judgment from the App Store review team that rogue apps like these went unnoticed. Nate Lawson from SourceDNA says it’s “definitely the kind of stuff that Apple should have caught.” Apple is infamous for its strict “walled garden” App Store policy, and this kind of security lapse is pretty uncommon on iOS.

Apple has taken swift action, removing all apps using the offending API. It has warned developers not to trust the company that created the ad platform and its malicious code, and will reject any apps including it in future.

Read more: US government backs down over privacy dispute