How would it not be a CFAA violation? E.g. if they included the official client's API key, surely that falls under "(6) knowingly and with intent to defraud traffics (as defined in section 1029) in any password or similar information through which a computer may be accessed without authorization, if—(A) such trafficking affects interstate or foreign commerce".

(I say this not because I think it should be a crime, but because I think the CFAA is a terribly broad law)