Neon Mobile, an app that paid users for recording and selling their phone call data to AI firms, suffered a critical security breach exposing highly sensitive user information. The vulnerability allowed unauthorized access to phone numbers, call transcripts, audio recordings, metadata (call duration, date), and a full list of recent calls from *all users* without authentication. The flaw was trivial to exploit using basic tools like Burp Suite, revealing a near-total collapse of security controls. TechCrunch confirmed that recordings included covertly captured real-world conversations, often without the knowledge or consent of all parties involved. The breach risked exposing private, identifiable discussions ranging from personal matters to financial or professional details with no safeguards against misuse. The app was taken offline after the discovery, but the founder’s response downplayed the severity, failing to disclose the full scope of the exposure to affected users. The incident underscores systemic failures in data protection, consent mechanisms, and secure API design, with potential long-term reputational and legal repercussions for the company.
TPRM report: https://www.rankiteo.com/company/neon-mobile
"id": "neo2932329092625",
"linkid": "neon-mobile",
"type": "Breach",
"date": "9/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'All users (exact number '
'undisclosed; call '
'recordings/transcripts exposed)',
'industry': 'AI Data Collection/Monetization',
'name': 'Neon Mobile',
'type': 'Mobile Application'}],
'attack_vector': ['Insecure Direct Object Reference (IDOR)',
'Improper Access Controls',
'Lack of Authentication for Sensitive Data'],
'customer_advisories': ['Single vague email from founder (Alex Kiam) '
"mentioning 'extra security layers' without details"],
'data_breach': {'data_encryption': 'No (data exposed in plaintext via direct '
'links)',
'data_exfiltration': 'Yes (via publicly accessible links; no '
'authentication required)',
'file_types_exposed': ['Audio files (recordings)',
'Text files (transcripts)',
'JSON/Metadata (call details)'],
'personally_identifiable_information': ['Phone numbers',
'Voices (biometric '
'data)',
'Conversational '
'content (may include '
'names, addresses, '
'financial details)'],
'sensitivity_of_data': 'Extremely High (intimate '
'conversations, personally '
'identifiable information, potential '
'blackmail/social engineering '
'material)',
'type_of_data_compromised': ['Audio recordings of private '
'calls',
'Text transcripts of calls',
'Phone numbers '
'(caller/recipient)',
'Call metadata (timestamps, '
'duration)']},
'description': 'The Neon Mobile app, which paid users for recordings of their '
'phone calls (later sold to AI firms for algorithm training), '
'was taken offline after a critical security vulnerability was '
'discovered. The flaw allowed unauthorized access to users’ '
'phone numbers, call transcripts, recordings, and '
'metadata including those of other users via trivial tools '
'like Burp Suite. The app’s lack of security measures, failure '
'to notify call participants of recordings, and potential for '
'covert surveillance raised severe privacy concerns. '
'TechCrunch reported the issue to Neon’s founder, Alex Kiam, '
'who temporarily shut down the app but did not disclose the '
'breach’s severity to users.',
'impact': {'brand_reputation_impact': 'Severe (associated with covert '
'recording, privacy violations, and '
'inadequate security)',
'customer_complaints': 'Likely (not quantified; privacy violations '
'reported by TechCrunch)',
'data_compromised': ['Phone call recordings',
'Call transcripts',
'Phone numbers',
'Call metadata (date, duration, '
'participants)'],
'downtime': 'App taken offline indefinitely (status unknown)',
'identity_theft_risk': 'High (phone numbers + call content could '
'enable social engineering or doxxing)',
'legal_liabilities': ['Potential violations of wiretapping laws '
'(e.g., U.S. Federal Wiretap Act, state '
'two-party consent laws)',
'GDPR/CCPA non-compliance (if applicable)',
'Class-action lawsuits for privacy harms'],
'operational_impact': 'Complete shutdown of service; potential '
'permanent removal from app stores '
'(Apple/Google)',
'systems_affected': ['Neon Mobile app backend servers',
'API endpoints handling call data']},
'investigation_status': 'Initial disclosure by TechCrunch; no formal '
'investigation results published',
'lessons_learned': ['Inadequate authentication/access controls can lead to '
'catastrophic privacy breaches.',
'Monetizing sensitive user data (e.g., call recordings) '
'requires robust legal and technical safeguards.',
'Transparency in data collection and breach disclosure is '
'critical to user trust.',
'AI training datasets must be vetted for compliance with '
'privacy laws and ethical standards.'],
'post_incident_analysis': {'corrective_actions': ['None verified; app remains '
'offline with unclear '
'future'],
'root_causes': ['Lack of authentication for API '
'endpoints returning sensitive '
'data.',
'Publicly accessible object '
'storage (recordings/transcripts) '
'without access controls.',
'Insufficient security testing '
'pre-launch.',
'No privacy-by-design principles '
'applied (e.g., data minimization, '
'consent management).']},
'recommendations': ['Implement zero-trust architecture with strict '
'authentication for all data access.',
'Encrypt sensitive data (recordings/transcripts) at rest '
'and in transit.',
'Conduct third-party security audits before launching '
'high-risk apps.',
'Obtain explicit, informed consent from all parties '
'before recording calls.',
'Anonymize/pseudonymize data to prevent '
're-identification.',
'Develop a breach communication plan that prioritizes '
'transparency.',
'Avoid monetization models that incentivize privacy '
'violations.'],
'references': [{'source': 'TechCrunch',
'url': 'https://techcrunch.com/2023/XX/XX/neon-app-security-flaw-exposes-call-recordings/'}],
'regulatory_compliance': {'legal_actions': ['Potential class-action lawsuits',
'Regulatory investigations (FTC, '
'state AGs)'],
'regulations_violated': ['Potential violations of '
'U.S. Federal Wiretap Act '
'(18 U.S.C. § 2511)',
'State two-party consent '
'laws (e.g., California '
'Penal Code § 632)',
'GDPR (if EU users '
'affected; Articles 5, 6, '
'9, 32)',
'CCPA (if California '
'residents affected; '
'failure to disclose data '
'collection/sale)',
'FTC Act (unfair/deceptive '
'practices)']},
'response': {'communication_strategy': ['Vague email to users omitting breach '
'severity',
'No public statement addressing '
'privacy risks or legal implications'],
'containment_measures': ['App shutdown',
'No further details provided'],
'incident_response_plan_activated': 'Partial (app taken offline; '
'no transparent '
'communication to users '
'about breach details)',
'remediation_measures': ["Claimed 'extra layers of security' (no "
'specifics)',
'No evidence of user notification or '
'data deletion']},
'title': 'Neon Mobile App Security Flaw Exposes Users’ Private Call '
'Recordings and Transcripts',
'type': ['Data Breach', 'Privacy Violation', 'Unauthorized Data Access'],
'vulnerability_exploited': ['Exposed API endpoints returning call '
'metadata/recordings without authentication',
'Publicly accessible links to call '
'recordings/transcripts',
'No rate-limiting or access restrictions on user '
'data']}