CFAA would be unenforceable if it required unauthorized users to have agreed to the terms of service of the systems they were abusing. You’re not supposed to be there and that’s sufficient.