That example is not at all the same as what's being discussed. The issue at hand is whether access to a public URL is authorized and who is responsible for determining that authorization.
Actually the analogy is OK, the interpretation is wrong. If you disagree with sneak you're saying the account holder should be prosecuted!
Claiming ownership of the money would be like weev selling the email list to spammers, which he didn't. What he did was reveal the defect - like the acoount-holder reporting the mis-deposit.