Whoever did what
The most chilling comment, which I totally believe, is:
"I could've 1000% used this to send more legit looking emails, trick companies into handing over data etc. And this would've never been found by anyone who would responsibly disclose, due to the [nondisclosure] notice the feds have on their website."
The LEEP server is used by law enforcement and intelligence agencies. A request from the FBI for information will likely be acted upon without question.
And all because of yet another "misconfiguration" (assuming the FBI is being honest about that).