🚨📈 The Viral App That Leaked User Data

In partnership with

A week ago, if someone told you that you could make money by letting strangers listen to your phone calls, you might have suggested therapy. But Neon, an app that pays users to record their calls so AI companies can buy the audio for training data, just cracked the top-five free iPhone apps with 75,000 downloads in a single day.

Even if downloads cut in half to 32,000/day, Neon would hit one million users in 33 days, faster than Instagram (2.5 months), Spotify (5 months) or Facebook (11 months), though still nowhere near ChatGPT's record five days. Not bad for an app whose entire value proposition is "we'll pay you to wiretap yourself."

Then it went offline after a security flaw let anyone access any user's phone numbers, call recordings, and transcripts. Oops.

The Neon debacle feels like a perfect microcosm of where we are in 2025: AI companies desperately need training data, regular people want to get paid for their data, and someone builds a viral app to connect them - except they have no idea how to secure it. What makes this particularly interesting isn't the privacy violation (though yikes), but what it reveals about two much larger business trends colliding in spectacular fashion.

The New Freemium: Your Data Is the Product (Again)

Neon isn't inventing a new playbook, this is years old. Email clients, file optimizers, and VPN providers have been pulling this move for years: give away a free software product, then quietly harvest the credit card transaction data or e-receipt data to sell to hedge funds.

The real money often isn't in credit card transaction data (which only tells you someone shopped at Target) but in detailed e-receipt data, which reveals exactly what items someone bought.

When Everyone Can Code, No One Can Secure

The real story behind Neon's security failure isn't about one app, it's about what happens when AI democratizes software development faster than it democratizes software security knowledge.

AI coding agents like Cursor, Replit, Lovable, and Windsurf have created something unprecedented: they've removed the barriers to building complex software without replacing the quality control mechanisms that those barriers provided. Suddenly, people who couldn't write a single line of code six months ago are shipping web applications. The problem is, they also can't spot a SQL injection vulnerability if it sent them a calendar invite.

The numbers here tell the story. Lovable and Replit are both generating $130 million in annual recurring revenue. Bolt is at $75 million. Base44 cleared $10 million. That's roughly 17 million people paying for these apps and deploying code who have never learned to write code.

Predictably, security incidents are piling up faster than every. Tea, an app that launched in July 2025 letting women post anonymous reviews of men they've dated, just suffered a breach exposing 72,000 images, including 13,000 selfies and photo IDs. The app had been live for eight months before someone noticed that user verification data was sitting unprotected.

Even Lovable, one of the largest vibe coding platforms, got called out by a competitor in March for fundamental security misconfigurations in their Row Level Security implementation.

The Margin Opportunity Hidden in the Chaos

Here's where this gets financially interesting: the companies creating this security crisis might also be perfectly positioned to solve it, and make better money doing so.

Take Replit. They're operating at roughly 23% margins, well below the 80%+ that traditional software companies achieve. Part of this is because of reasoning, when you give AI more time to think it produces better results. The more time Replit allows its/Anthropic’s coding agents to think, the more it costs them.

That somewhere else might be security verification. Greptile just raised $25 million from Benchmark (the same firm that made early bets on Uber and Twitter) specifically to build AI-powered code review for security vulnerabilities.

The platforms are already moving in this direction. Replit now offers security scans through third-party providers whenever someone publishes an app. It's both a customer service (removing deployment friction) and a potential revenue stream. The more secure their users feel, the more code they'll deploy. The more code they deploy, the more they'll pay for generation tools. And if Replit can capture some of that security spend directly, they've found a path to better unit economics.

This creates an almost ironic business dynamic: the platforms that enabled the security crisis by making coding accessible to everyone are now positioned to profit from solving the security crisis they created. It's like selling fire insurance in a town where you also run the fireworks factory.

What Happens Next

As the cost of generating code approaches zero, the volume of code being deployed is exploding. Human code review simply can't keep up with machine code generation. Something has to fill that verification gap, whether it's platforms cross-selling security to their existing customers or new startups like Greptile building specialized tools for this exact problem.

In 12-24 months, don't be surprised if insurance companies start requiring AI code security verification for coverage, or if "security-first" becomes the main differentiator between developer platforms.

Kickstart your holiday campaigns

CTV should be central to any growth marketer’s Q4 strategy. And with Roku Ads Manager, launching high-performing holiday campaigns is simple and effective.

With our intuitive interface, you can set up A/B tests to dial in the most effective messages and offers, then drive direct on-screen purchases via the remote with shoppable Action Ads that integrate with your Shopify store for a seamless checkout experience.

Don’t wait to get started. Streaming on Roku picks up sharply in early October. By launching your campaign now, you can capture early shopping demand and be top of mind as the seasonal spirit kicks in.

Get a $500 ad credit when you spend your first $500 today with code: ROKUADS500. Terms apply.

Holiday performance starts now.