Do you remember when the iPad was first released way back when. There was a problem with AT&T registration system that allowed you to send a ID from an iPad and it responded with the users email address?
Once the group figured out what they could do, they created a script that generated valid ID’s then ran them against the site and recorded the results. Instead of just stopping at a few and calling it a day it looks like ran up to 1000’s. At this point the case on the researchers side is that they did responsible disclosure, but if you read the IRC logs it does not really look like that.
Here is the link to Wired.