Simply possessing the information (which is already freely available online) is not on its own unethical. It depends entirely upon what he does with the information, which in this case is protect the owners from malicious individuals who also have access to the information because it's freely available online.
I'm not going to pretend to understand the legal niceties here, but the analogy to "stolen property" rings false because 1) he's not depriving anybody of their passwords 2) the very fact they've been leaked means they aren't really of value anymore.
