I’d argue that it’s ethically the right decision — particularly when the SaaS provider seem to be burying their head in the sand. Legally on the other hand?
In Stripe's case, I've been very happy with how responsive their support is (even my Suggestion Box submissions get personal replies) - I'd expect Stripe to suspend that account within a couple of hours, regardless of the time-of-day.
But if it was, say, Authorize.net (I can't be the only one?) I'd probably take direct-action (via an anonymous proxy, of course - legacy companies just can't stop themselves shooting the messenger first...)
(Disclaimer: I haven't had to deal with Authorize.net since 2016 - can anyone say if things improved since then?)
