I'm pretty sure they just were in a gray enough area that it was never worth suing when they were little. Once they were big enough for the banks to notice it was too late.
But I find the secondary effects to be the most fascinating bit. They created a security risk for the banks by collecting everyone's logins and then were like "Hey bank CISO, the way to mitigate this massive risk we've created for you is to make an API so we can do this safely and delete the creds. k thx byeeee!"
But I find the secondary effects to be the most fascinating bit. They created a security risk for the banks by collecting everyone's logins and then were like "Hey bank CISO, the way to mitigate this massive risk we've created for you is to make an API so we can do this safely and delete the creds. k thx byeeee!"