It is very likely illegal but also discouraged to be prosecuted. From the federal government's guidelines on prosecuting unauthorized computer access (https://www.justice.gov/jm/jm-9-48000-computer-fraud):
> "The attorney for the government should decline prosecution if available evidence shows the defendant’s conduct consisted of, and the defendant intended, good-faith security research."
If you just text out passwords to anybody who asks, are they really doing unauthorized access? Lol.
I’m sure it was illegal somehow, though.