I was sure the vulnerability was going to be an API key hard coded in the app which allowed retrieving any credit report over the API. That the app was "merely" sending some calls unencrypted was a total let down.

API creds maybe could have been excusable as a mistake which got overlooked or even permissions which changed. In the context of a credit monitoring app, the use of HTTP is really, really, really bad and can't really be excused. It would be interesting to know if there are more issues, but a lot of white-hat researchers stay away from such things when there's no official bug bounty program because of the computer fraud and abuse act. Interacting in the API outside its intended use by the app could be considered computer intrusion and it might be advisable to stay away from legal grey areas right now when it comes to Equifax research.