Considering that it the db isn't public and the disclosures are listed at the bottom, before the publication, this is mostly white hat and helps the company they target. More and more businesses are accepting the help when they are given it, such as their response to put a WAF in place. I do agree you shouldn't use your Christian name in these sorts of situations since priors have not been established with the targetted company; however Catwatchful has no impetuous to pursue meaningless charges for a stalker app as there are most likely no damages unless the service providers actually respond, which they most likely won't.
Nothing ever happens to these people and do you think datacenters/hosts/providers really care about anything other than DMCA complaints?
(report illicit/illegal content to a host provider that isn't copyright protected and wait.. you will be waiting long after your teeth have fallen out)
Do you really think that the users of a stalker app care if the app got "hacked" once or twice? Do you also think that the app makers themselves really want to remind the legal world that this stuff is legal when i bet you >50% of their users probably installed it on devices that aren't theirs?
IDK, personally I would avoid the law at all costs if I released something this shady.