It does not matter on what AT&T relied. As long as it was clear that this information is not intended to be public and he was doing something the system was not intended to do and circumventing access controls, however easy it was - and anybody with half a brain would know it was not intended to be public and he is circumventing access controls - the only right thing to do was to notify the admins, delete all the data and stay away. Bruteforcing the access and keeping the massive amount of data could not lead to any other outcome but him being considered a criminal.
This is old, but some people seem to misunderstand it still. If your neighbor has a weak lock, telling him about it is OK. Picking the lock, coming in and going through his private things, while keeping some copies of his bank statements, credit card numbers, etc. - is not OK and has a high chance of landing you in jail. And no, "he had a sucky lock" is not a good defense. You knew it wasn't your property and it wasn't a public place.
If he had to write a script to take the addresses and bruteforce the IDs, there was a lock. A weak one, but still a lock. If there were just a public page that lists all the emails and IDs, the case would be different. I can see no legitimate reason to download a massive list of names - if you wanted to show a vulnerability, one or two emails would be enough. If he stopped when he found a hundred emails or found an algorithm that can generate an ID and guess an email and published that - this would be very different. Even if he created a demo script that would find emails but would not record them (or record sha1 hashes of them - so it can be proven they were true ones but not possible to actually use it for any malicious purpose) - it would still be different.
URLs are not a lock. They are a mechanism for locating a resource. AT&T made no attempt to obscure the resource location, or to mathematically hide the location of a given resource like the rest of the sane world does. Publishing something on a predictable interface and then saying "oopsie, that's private, you're a felon for looking at it" is insane.
You again ignore the facts. He didn't just "look" at it. He wrote a script - a purposeful action - to generate specific sets of IDs based on his guesses about geographic distribution, etc. and used it to download more than 100K email addresses. You here sound like spammers saying "what you want from me, I just sent an email, now it's a crime?". That stopped working long ago. There's a difference between looking at one page and writing a tools that scans through millions of IDs (most of which would be rejected by the access controls) to bruteforce the protection and download 100K of emails. I don't believe anybody can be genuinely so obtuse as not to understand the difference between the two.
This is old, but some people seem to misunderstand it still. If your neighbor has a weak lock, telling him about it is OK. Picking the lock, coming in and going through his private things, while keeping some copies of his bank statements, credit card numbers, etc. - is not OK and has a high chance of landing you in jail. And no, "he had a sucky lock" is not a good defense. You knew it wasn't your property and it wasn't a public place.