As a former web application security guy, and now developer, identifying and disclosing vulnerabilities on websites is still very much a troubled area. Most companies don't have proper security@ email addresses set up or monitored, and still don't take kindly to vulns being reported.
That said, publicly disclosing a flaw in addition to defacing the website, even temporarily, is certainly not a classy way to go about it.
Amazon S3 lists objects in alphabetical order.