Sheer company stupidity

so here is some background. I was helping a "trust" work on their test server to properly upgrade their drupal core. drupal is an open source CMS. they gave me the login credentials to the test server for the MySQL instance. username "root" password "root" had login issues, blah blah blah, go over to their production server. test the credentials there. THEY WORKED! so being the nice person I am I reported it to a third party, who took it to them. yeah, the "trust" sent me an email threatening to pursue criminal charges because I told them about their stupidity.

logic fail

1. why in the world would you report this to a third party?

2. what idiot set up the login as user:root pass:root

I didn't trust the faculty member who they trust. quite frankly she was the one who set it up that way. so I took it to the head of computer security on campus.

typical case of killing the messenger because of hurt pride.

If you want my advice: when you tell somebody that s/he fucked up, trick that person into thinking they found out them selfs. You can ask questions like why is the production machine still accepting the default password?

People are fundamentally irrational so take that into account, it will save you allot of headaches.