Comment by habinero

I know exactly what I'm talking about, I'm a security engineer lol. Who has worked with plenty of lawyers.

Yes, this is absolutely illegal. The CFAA is pretty fuzzy when it comes to vuln reporting but accessing other people's accounts without their permission is a line you don't cross. Having a badly secured site is usually not a crime, but hacking one is.

Several jobs ago, some dumbass tested a bunch of API keys that people had accidentally committed on github and then "reported" the vulnerability to us.

The in-house atty I was working with was furious and the guy narrowly avoided legal trouble. If he'd just emailed us about it, we'd've given him something.

Also, whistleblower laws are for employees, not randos doing dumb shit online.