No good deed goes unpunished. This has happened before in the past, and it's why I don't help anyone and if I find a flaw in a system I abuse it 'til the cows come home, because I know exactly how bad they would treat me if I kindly reported it instead
I think there's a little step in between that has been skipped over here: you can notify a company of a breach WITHOUT using the weakness. Not that that in any way excuses the way they handled it (I would rip a serious strip off T Mobile for this), but if you find a weakness best let the service owner generate their own evidence or you leave yourself open to exactly this sort of stupidity. You still hold the rights of the notification(and can maybe set a time limit) but at least it makes it much harder to accuse you of hacking because you have not acted on the weakness (it makes it impossible to prove harm in court).
I have been there on a number of occasions, and the only time I ever actively used a vulnerability I ensured I had prior written permission to do so - and even then I stopped before it got dangerous (it would have had a global impact). With ability comes responsibility, just because you can doesn't mean you automatically should.
In the days I did security audits (when they were still "find and fix" instead of "find me some problems so I don't need to give the team a raise but still leave me compliant" tickbox affairs), I once had to evaluate the segregation between some divisions at a bank. It took me just a few minutes to discover that that segregation was at best imaginary, but I was shocked I had to explain to the project leader that I wasn't going to copy any file as evidence because having access to information meant that any leak of that information would create risks for us.
Instead, I got an authorised member of the division who owned that data and let him do the copy and sign off that he could so in the manner I described which could have gotten ugly from a regulatory point of view.
That said, I'm done with the public good work. In my experience, if you find a flaw, especially a dangerous one, and you just disclose it to an organisation, the first thing that happens is that the company tried to hide it. Now I sell them a couple of days of my time which allows me to document the problem for them, find an approach to mitigation and gives them the benefit of a non disclosure agreement. It's not an approach everyone agrees with, but I work in spheres where public disclosure is frowned upon, and this ensures that the issue is at least flagged and processed at the right level.