I m not sure I understand properly. Did he try to hack a random service he encountered? Is that even legal? Where I live (Sweden) it's definitely not legal.
IANAL and this is not legal advice, but you probably fine reverse engineering a mobile app and intercepting your own network traffic. He was doing ok until he started enumerating IDs in their database, at which point he started venturing into the territory that got weev 3.5 yrs.
https://www.wired.com/2013/03/att-hacker-gets-3-years/
I am not endorsing this interpretation of the CFAA, but this kid needs a lawyer.
I mean, he ventured in that direction, but until he discloses PII and leaks evidence of his intent that's the extent of the similarity: directional. People on message boards drastically underrate the importance of intent evidence in criminal cases; they all want there to be some hard-and-fast rule like "if you can see it in the URL, and you don't use a single-quote character to break SQL with it, it's fair game", which is not at all how it works.
His blog post seem to make it clear that his intent was to gain access to data in a computer system he did not have permission to access. Why would "disclose PII" be relevant?