They're talking about viewing the source code and testing the login. The author could have just reported the leaked credentials and not logged on. Testing them especially since it wasn't part of the program falls under potentially extremely malicious.