Yeah. I don't agree with the legal threats in any way; I'm simply answering "what law does the attorney claim was broken?"
I don't know enough about the CFAA to say whether providing the tools to exceed authorized access counts as an additional violation. But it would be reasonable to assume that creating the tools required (sporadic) efforts to exceed authorized access.
TBH, the CFAA scares me. While it isn't used to the full potential, it makes a vast amount of normal internet activity a felony, which then allows those in charge to pick off who they want as long as they don't incur too much outrage.
According to Sen. Ron Wyden (D-Ore.), the current incarnation of CFAA would make a mere violation of a website’s terms of service, like lying about your age on Facebook a felony.[1]
Another practice would be changing the '1' to a '2' in the URL http://www.example.com/1.pdf, since the computer running www.example.com is a 'protected computer', and you didn't get authorization to access 2.pdf on the server.
"Protected computer" is basically any server. The CFAA defines it as any computer used or affecting "interstate or foreign commerce", which works out to be most of the internet, thanks to CDNs and the practice of centralized data-centers.[2]
I don't know enough about the CFAA to say whether providing the tools to exceed authorized access counts as an additional violation. But it would be reasonable to assume that creating the tools required (sporadic) efforts to exceed authorized access.