I once reported an exposed AWS access key (someone posted it to StackOverflow) to AWS support and they weren't quite sure what to do with it; gave me instructions on how to disable it in the Console, but it wasn't mine.
I gave up after a couple rounds and just committed it to Github; their credential monitoring bot disabled it within seconds.
I misused someone's credentials with good intent. It's an example of why intent matters, and the CFAA (and lots of other laws) includes wording like "knowingly and with intent to x" in quite a few spots.