He reported it AFTER exploring it en mass, and while his motives *may* have been pure... the degree he went to can and were used to harm him.
Contrary to what was reported from many sources, he DID go to them first, before publishing the exploit. The fault for not fixing it immediately rests on them, not him.
What he did was normal curiosity. Hell, I've done it. In fact I don't know of any web or security professionals who haven't. Got an ID in the URL? Increment it by one, see what happens. We all do it.
Granted, we don't normally explore it to the degree he did. But what he did was ridiculously simple, and hardly even deserves the term "hacking" at all. What THEY did was akin to leaving the back gate open and putting out a sign that says "Come on in!", then complaining about it when someone did.
Anyway, I'll repeat what I said about my own experience: I didn't need to go "fishing" for information in that case. It was being sent TO ME, just in a non-obvious way. I stumbled across it, I didn't go looking for it or trying to exploit it. I sure could have, though.