The criticism of this security vulnerability has been well covered at this point, so I'd just like to point out that this should be trivially solvable in a few hours by changing all passwords from HQ.

It'd be quite irresponsible of this researcher if they didn't give notice beforehand (don't know if they have).