Neon takes down app after exposing users' phone numbers, recordings, transcripts (techcrunch.com)

Neon, a viral iPhone app that paid users for recorded phone calls to sell as AI training data, was pulled offline after TechCrunch discovered a critical security flaw that exposed other users’ phone numbers, call recordings, transcripts and metadata. Using a network proxy (Burp Suite) to inspect the app’s traffic, testers found backend endpoints that returned recent call lists, plain-text transcripts and public URLs to raw audio files; the servers did not enforce access controls, so any logged-in user could enumerate or fetch other users’ data (phone numbers, timestamps, durations, and earnings). The founder took the service down after being notified but emailed users without explicitly acknowledging the data exposure; it’s unknown whether any data was exfiltrated or if app stores will intervene. For the AI/ML community this is a cautionary case about data provenance, consent and security hygiene. It underscores the legal and ethical risks of monetizing conversational audio for model training—buyers and builders must validate how datasets were collected, ensure access controls and secure APIs are in place, and confirm consent for third-party participants. Technically, the incident highlights common failures: missing authorization checks, publicly accessible object URLs, inadequate logging/forensics, and weak breach notification. Teams sourcing or purchasing audio corpora should require attestations, perform security audits, and treat such datasets as high-risk to avoid privacy violations, regulatory exposure, and model contamination with sensitive personal data.