[kelnos]

I don't think quantifiable significant damage should be the bar we use, though that should act to moderate the consequences.

OP admitted to continue changing URLs in order to check out what plans other companies were getting and what they cost. That means OP downloaded lists of employee names, ages, SSNs, and other data. If I were an employee at one of these other companies, I'd be pissed at OP for that. I'd be even more pissed at the people who built the marketplace website for making the rookie security mistake that allowed it, but it's absolutely not ok to download other people's information when you shouldn't have access to it, and use that to your own advantage.

Sure, I don't think this is something that should be prosecuted as a CFAA violation with big fines and jail time. That's not a proportionate response. But I also don't think we should signal that it's ok to look at (and use!) other people's data just because someone else forgot to lock it up properly. I think, for example, something on the level of a parking ticket would be appropriate here.

If OP had changed the URL once, found the vulnerability, and then immediately closed the page and reported the problem, I would see nothing bad in what they did. But they didn't merely do that, and IMO crossed the line in their subsequent actions.