API creds maybe could have been excusable as a mistake which got overlooked or even permissions which changed. In the context of a credit monitoring app, the use of HTTP is really, really, really bad and can't really be excused. It would be interesting to know if there are more issues, but a lot of white-hat researchers stay away from such things when there's no official bug bounty program because of the computer fraud and abuse act. Interacting in the API outside its intended use by the app could be considered computer intrusion and it might be advisable to stay away from legal grey areas right now when it comes to Equifax research.