> How is it different from bruteforcing a weak password on an email account
It is different in these ways:
* Brute-forcing the email password is an attempt to circumvent a system designed specifically to keep unauthorized people out. One can not claim this info is public or that authorization was implied.
* Repeatedly making a call to an open, yet hidden, API is simply using it as it was designed. IMO, at most this dude violated some AT&T TOS by scripting the requests.
It is different in these ways:
* Brute-forcing the email password is an attempt to circumvent a system designed specifically to keep unauthorized people out. One can not claim this info is public or that authorization was implied.
* Repeatedly making a call to an open, yet hidden, API is simply using it as it was designed. IMO, at most this dude violated some AT&T TOS by scripting the requests.