Danger Will Robinson! Danger! As anybody who has recently decided to browse Sarah Palin's email can tell you, accessing a computer system to which one does not have legitimate access to with genuine intentions is still a federal crime and "It was easy to do!" is not a defense.

If you ever find yourself logged into someone else's account log out and, if you absolutely have to reproduce it, reproduce the attack against an account you have legitimate control over. (e.g. Register dummydomain.co, set up a Google apps account tied to it, transfer the domain, regain access to the Google apps account using nothing but the DNS settings to the transfered dummy domain. If this succeeds, you know you can compromise any account linked to a Google Apps email account on an expired domain -- you don't need to commit a federal crime to demonstrate this.)

Don't take this as legal advice, but there is such a thing as mitigating circumstances. Your suggested approach leaves a gaping security hole open for a fairly long time before anything happens. Also, simply logging in once and doing nothing to verify a new security breach is vary different then browsing info. It's like noticing a door was left slightly open yelling your doors open and if nobody answers and closing but not locking it. Technically you broke the law, but a prosecutor is unlikely to win a case so they will probably just drop it.

PS: Under the right circumstances you could still be sued though. Edit: You can also be sued for just about anything so IMO it's somewhat moot.

Personally, I think that's naive. There are a lot of people that will overreact in the extreme. Especially since they've been caught with their pants down (even though they haven't been specifically outed by name).