How would Sega know there are AWS API keys in a public S3 bucket without vpnoverview defacing their careers site? Sega could probably, y'know, look in the S3 bucket at the identified file which contained the keys.
All of the things found could have been investigated by Sega and replicated if vpnoverview just documented how they got access to the info.
You don't have to joyride in a car to show the owner that they dropped their keys.
In this case SEGA, due to their incompetence lost a bunch of car keys owned by other people despite claiming that they’ll keep them safe (and having a legal obligation to do so under GDPR). So I don’t see any problem with publicly exposing them.
All of the things found could have been investigated by Sega and replicated if vpnoverview just documented how they got access to the info.
You don't have to joyride in a car to show the owner that they dropped their keys.