@WPalant I haven't read the original document and all data that supports this, but I have a question: is this judgment because he connected to the database?

It is my understanding that he did connect. In that case, he was aware that the connection to the database might constitute a violation. He is a person that "knows" these things (and even if he might not know the particular DB engine, he was certainly aware that it was in fact a DB engine). Database engines are not supposed to be exposed, and they might contain data from other persons.

The logical course of action was to notify about the exposed credentials without testing the connection.