Seems a bit harsh to fire someone for that. People make mistakes. If anything, you know that this person isn't going to make the same mistake ever again.

Of course, if they do, then firing might be the way to go. First time mistake, second time incompetence.

Perhaps something like this should be in a policy handbook?

"Employees may not use passwords that are used with any service outside of the company."

Zero enforceability (but some companies would probably ask for a list of outside passwords I'm sure), but in the face of a direct policy violation, 100% fireable, and can help a company in terms of liability.

I doubt he'll be fired just for that, but yeah, that is a big mistake on his part.

In general though, in any security breach the most common way to pivot is via password re-use. You'll see this happen with many privileged employees at almost every company.

> Someone's updating their resume tonight.

At a start-up, it most likely was not an engineering decision, but an agility trade-off. Get that product out the door now!

"Move fast and break (other people's) things!" ?