A new security flaw has been discovered in iOS 9 that allows one to access the Photos, Contacts, and Messaging application on an iPhone or iPad by bypassing its protected lock screen.
The process takes advantage of the ability to invoke Siri from the lock screen and the 1-minute lockout policy in iOS 9. Entering the wrong passcode a few times and invoking Siri on the last try before the 1-minute device lockout policy is enforced will basically grant you limited access to certain apps on the device.
The problem only affects iOS 9 devices that use a four- or six-digit passcode for protection. The bug is present on devices with or without the Touch ID sensor. It is also present in iOS 9.0.1 and iOS 9.1 beta 2 which were released earlier today.
Until Apple gets around to fixing this bug, you can disable Siri to be invoked from the lock screen to prevent this hack from working.