url hacking my site

The following URL was found in my Online Customers page:
https://www.mydomain.com/country/getstatesbycountryid?countryid=1&addselectstateitem=true&_=1583341133969

I posted the URL in my Chrome browser and it pulled all of my States from y database.  Here are the results:

[{"id":0,"name":"Select state"},
{"id":1,"name":"AA (Armed Forces Americas)"},
{"id":2,"name":"AE (Armed Forces Europe)"},
{"id":3,"name":"Alabama"},
{"id":4,"name":"Alaska"},
{"id":5,"name":"American Samoa"},
{"id":6,"name":"AP (Armed Forces Pacific)"},
{"id":7,"name":"Arizona"},
{"id":8,"name":"Arkansas"},
{"id":9,"name":"California"},
{"id":10,"name":"Colorado"},
{"id":11,"name":"Connecticut"},
{"id":12,"name":"Delaware"},
{"id":13,"name":"District of Columbia"},
{"id":14,"name":"Federated States of Micronesia"},
{"id":15,"name":"Florida"},
plus all subsequent states.

What is this all about? Is it a HACK attempt? Any way to stop them? The URL comes from this IP: 206.212.229.116

Dan

In all likelihood it's just a bot/spider following public routes.  If you look at the CountryController you'll see the GetStatesByCountryId is public facing and returns the expected JSON results that you see:

//available even when navigation is not allowed
 [CheckAccessPublicStore(true)]
 public virtual IActionResult GetStatesByCountryId(string countryId, bool addSelectStateItem)
        {
            var model = _countryModelFactory.GetStatesByCountryId(countryId, addSelectStateItem);
            return Json(model);
        }

This url can be called from various froms, like customer info, address add/edit, registration etc. It’s not a problem.