You have likely broken the law by accessing that Amazon account which was not yours, and now you blog about it. It might be a good idea to talk to a lawyer.
I accessed the person(s) amazon account to find contact information. They are now fully aware that I accessed the account as I left a voicemail. I offered full access to the GMAIL account and gave the password on the Amazon account so it could be shut it down and alert amazon who could also further do a full audit of what I accessed.
There does not seem to be any alarming distress in the situation. It has been over 2 months since the incident, I made sure that the person(s) involved was fully aware and of the blog post. No issue was raised about me writing it up and posting it. I also waited for a period of time to hear back from the Google Security Team. I believe I have taken the correct response here.
The philosophical nature of criminal law in common law countries is that offences against a person are offences against the Crown or People (depending on your jurisdiction).
The practical outcome is that the Crown or People can choose to independently charge you of a crime, regardless of what the actual 'victim' wants.
There was no need to notify the owner of the issue. If your intentions were honest, as I'm sure they were, then just delete the information. You don't need to break into the amazon account to notify anyone since the information wasn't public and you weren't going to do anything malicious with it.
Good idea to talk to a lawyer? I'd wait until you're actually sued before wasting your time and money worrying about something so stupid. Most people aren't going to sue you if explain what you did (and why) and it's obvious you had genuine intentions.
Danger Will Robinson! Danger! As anybody who has recently decided to browse Sarah Palin's email can tell you, accessing a computer system to which one does not have legitimate access to with genuine intentions is still a federal crime and "It was easy to do!" is not a defense.
If you ever find yourself logged into someone else's account log out and, if you absolutely have to reproduce it, reproduce the attack against an account you have legitimate control over. (e.g. Register dummydomain.co, set up a Google apps account tied to it, transfer the domain, regain access to the Google apps account using nothing but the DNS settings to the transfered dummy domain. If this succeeds, you know you can compromise any account linked to a Google Apps email account on an expired domain -- you don't need to commit a federal crime to demonstrate this.)
Don't take this as legal advice, but there is such a thing as mitigating circumstances. Your suggested approach leaves a gaping security hole open for a fairly long time before anything happens. Also, simply logging in once and doing nothing to verify a new security breach is vary different then browsing info. It's like noticing a door was left slightly open yelling your doors open and if nobody answers and closing but not locking it. Technically you broke the law, but a prosecutor is unlikely to win a case so they will probably just drop it.
PS: Under the right circumstances you could still be sued though. Edit: You can also be sued for just about anything so IMO it's somewhat moot.
Personally, I think that's naive. There are a lot of people that will overreact in the extreme. Especially since they've been caught with their pants down (even though they haven't been specifically outed by name).
Bring a law suit against someone requires, in general, damages or some loss. Not to mention a retainer. Getting a prosecutor to enforce a law when there is essentially no harm would be next to impossible. If a law was broken.
Without the disclaimer, in some jurisdictions the post could be interpreted as unauthorized or inappropriate practice of law. http://en.wikipedia.org/wiki/IANAL
A real "legal advice" is a professional advice, as is ascertained by the board, which gave license to the person (lawyer), who is qualified to dispense such legal advice. Giving a "legal advice" when the giver is not licensed to give such advice is dangerous to public interest, and is discouraged through laws and customs.
Now, any person can give any other person an advice on legal matters, as long as the target of the advice is not fooled into thinking that he got the real certified stuff. To stay on the right side of the customs the easiest thing to do is to confess to lack of credentials and make things abundantly clear by directing the other person to the real professional after expressing your initial concern or opinion.
Now, it might seem backwards to you, and you might expect that the default would be "people talk shit all the time, so no one should listen unless the speaker actually provides credentials". This is how it works in most areas, but not all. In particular law and health are two areas where the state saw it fit to go out of the way to protect the least savvy members of society by twisting the default setting the other way around.
Obviously, this is not a legal advice on how to give legal advices, or any other matter.
IANAL, but I think that in this context "legal advice" has a meaning beyond the English one. It is also used to indicate an attorney-client relationship and the associated liability and confidentiality.
So someone can give legal advice (English), but say it isn't legal advice (Legalese) and that makes it not legal advice (Legalese).
The main reason for IANAL, TINLA is that lawyers have attorney's immunity, and joe shmoe does not. If somebody relies on my opinion as if it is legal advice and from the circumstances it looks like legal advice, I can be in deep poop if the advice was wrong.
There does not seem to be any alarming distress in the situation. It has been over 2 months since the incident, I made sure that the person(s) involved was fully aware and of the blog post. No issue was raised about me writing it up and posting it. I also waited for a period of time to hear back from the Google Security Team. I believe I have taken the correct response here.