I'm not saying AT&T was in the clear. Obviously just requiring a reasonably easy to guess number to secure an email address is amateur hour. But, at the same time, just because web security is easy to break into, doesn't give people free reign to go traipsing through and pull out what they can.

Keep in mind - 99% of the population wouldn't have been able to figure out how to spoof the user-agent to get into the AT&T site, and most of those that could, wouldn't have gone beyond extracting a couple IDs, and then notifying AT&T.

Weev's sin (if not felony behavior) was extracting 100,000+ personal email addresses, and the exposing them for the sheer purpose of embarrassing people he despised. Do I believe he engaged in illegal behavior? Yes. Do I believe it merits years in Jail? No.

With regards to legal obligations - In California, the closest I can find is Bus. & Prof. Code §§ 22575-22578 [1]. It is a requirement for site collecting personal information to "conspicuously post its privacy policy on its Web site"

I can't find any laws in California that require the securing of this information beyond that, though.

[1] http://www.leginfo.ca.gov/cgi-bin/displaycode?section=bpc...