I definitely do not assume that I'm the first to find this, only the first to actually get it taken down. Worse, as the try site's been up since at least Jan 2017, that's nearly 18 months of exposure.
We won't know what the real exposure level was unless someone asks LocationSmart very persuasively.
Ideally, they have access logs (for the web API, their backend ___location requests, or both) that could be used to detect patterns of misuse. Unfortunately, since their API is exclusively POST, the web server access logs will be less useful, but they could be used to detect e.g. direct API queries that skip the consent request.
We won't know what the real exposure level was unless someone asks LocationSmart very persuasively.