A lot of web-infrastructure is public API these days. If someone misconfigures their S3 instances and allows the public to access it... accessing internal S3 data (despite being from a public API) is considered hacking IIRC.
The law doesn't care about how easy or hard it is to perform the hack. All it cares is about intent.
The law doesn't care about how easy or hard it is to perform the hack. All it cares is about intent.