Even if a guy is an easily hackable asshole, usually accessing the stuff directly and downloading his database is still a crime (at least in the US), stay safe buddy.
If I serve a file with info I didn't intend for the world to see at example.com/secret and you access it, did you commit a crime? Clearly no.
Given that, you have no way to even know if the data which was available publicly contained any private information. This guy is doing a fine public service, and any company he helps should pay him for saving their asses.
Prosecutors are not famous for caring about internet arguments, weev (who is a piece of shit for other reasons) got sentenced to 41 months for effectively incrementing an integer in a url - https://www.justice.gov/usao-nj/pr/new-york-man-sentenced-41...
"he concocted the fiction that he was trying to make the Internet more secure, and that all he did was walk in through an unlocked door. The jury didn’t buy it, and neither did the Court in imposing sentence upon him today.”"
If I serve a file with info I didn't intend for the world to see at example.com/secret and you access it, did you commit a crime? Clearly no.
Given that, you have no way to even know if the data which was available publicly contained any private information. This guy is doing a fine public service, and any company he helps should pay him for saving their asses.