It's become a bit of a grey area thanks to most large companies having bug bounty programs now. I think some researchers just assume that all companies are OK with testing against their production services. IMHO it's almost certainly illegal, but simply won't be enforced unless the hacker/researcher does something malicious.