I haven't run across web sites with weak password schemes but I have run across some sites with unprotected directories wide open. I have always sent an anonymous email to let them know and not open myself up to much by making it easy for them to see who I am or was. Now if you were hacking at the password for a couple of days, I would keep quiet or make a decent effort to cover the tracks. Because those logs that show your activity could be used in a manner that is unfriendly to you. If you feel that strong about telling them and you don't want to get identified, send a letter to the technical contact listed on WHOIS. Just mail it from a large populated zip code. Alternatively you could try the site "bad link" form. Sometime these are forms that exist outside e-mail links.

In reality, I don't think anything would happen and certainly taking you to court over the issue wouldn't be cost effective to them. They would have to subpoena your ISP etc., but you never know eh? See mailing suggestion above.

P.S.

I agree with Nyx.