| Here is my analogy: 1. You just finished your workout and went to a locker room at your gym (he went to a public website) 2. You opened up your own locker and took your stuff from it (checked his account) 3. You found out that very few people are using locks in the gym locker room (figured the account id in url ) 4. You know that it is not your belongings in other people lockers, but they are not locked just because people are just lazy or don't want to spend money on the lock (he knew that those accounts do not belong to him, and were accidentally not locked by by at&t) 5. You decided if those lockers are not locked - that means that clothes inside of those lockers are public property and you can easily borrow them (tried to browser to other urls and get private account info) 6. You go ahead and try opening every single locker in a room and put all the belongings you find in opened lockers on ebay to make profit and sell it, BEFORE letting know the owners or the gym that those belongings are not locked. (sold private data to somebody) I think thats not legal behavior, as long as you understand that the property you are taking is not yours - you are making a crime by taking it (stealing) |
It also wildly disconnects around point 6. You make it sound like he stole everything that the users had in the accounts. In reality, he just copied their info. He didn't give himself anything from their accounts, like transferring credits to give himself free cable or something like that. Instead of stealing everything and selling it on eBay, it was more like him going through people's lockers, taking a picture of what they have inside, and then selling the pictures.