Oof, Neon app breach exposes user recordings and data in major privacy failure

Neon, the app that pays users to share audio recordings for AI training, promises to return despite suffering a massive security breach that exposed users’ phone numbers, call recordings, and transcripts to anyone who accessed the platform. The breach has raised serious legal concerns about consent violations and potential criminal liability for users who secretly recorded conversations without permission.

What you should know: The security vulnerability was so severe that it allowed complete access to all user data with no authentication required.

• TechCrunch discovered that anyone could access phone numbers, call recordings, and transcripts of any user through the security flaw.
• The company responded by taking the app offline while leaving it available for download in the App Store.
• Some users were exploiting the app by secretly recording real-world conversations of people who didn’t know they were being recorded, according to accessed transcripts.

The big picture: Neon had rapidly gained popularity by offering users hundreds or thousands of dollars annually for allowing their conversations to train AI chatbots, becoming the second most popular social app and sixth most popular app overall in the App Store.

How the app works: Neon claims to record only the user’s side of calls unless both parties use the app, though experts question this assertion.

• “When you make a call through the Neon app, it’s recorded. If you’re the only Neon user on the call, we’ll only record your side. If both people are using Neon, we’ll record both sides—as long as at least one person starts the call in the app,” the company states.
• The app promises that “our technology automatically filters out names, numbers, and other personal details.”
• One cybersecurity expert and privacy attorney suggested the company may actually record both sides and then remove the other party’s words from transcripts.

Legal risks: Users could face both criminal charges and civil lawsuits in states requiring two-party consent for recordings.

• “Imagine a user in California records a call with a friend, also in California, without telling them. That user has just violated California’s penal code,” said David Hoppe, founder and managing partner of Gamma Law, a legal firm specializing in technology issues.
• “They could face criminal charges and, equally scary, be sued civilly by the person they recorded.”

What they’re saying: Founder Alex Kiam emailed users promising the app’s return while maintaining payment commitments.

• Kiam “promised Neon would be back ‘soon’ and apologized” but did not respond to requests for further comment, according to CNET.
• He assured users that “their payments are still in place, despite the app going dark.”