True. Maybe let them know you will be directly contacting each user and letting them know that this service has exposed their personal information to hackers.
I'd definitely not do that. POCing a scraper to check is fine, but you shouldn't save any PII from that data. You're also saying you're the "hacker", as you don't know if it's actually been revealed to others without the forensics that (hopefully) only the business can do.
