FYI there are only some countries where evidence is inadmissible solely because it is aquired illegaly (eg in the United States, but not most of Europe AFAIK). Not that I in any way condone what this company have done.
Even in the US, the exclusionary rule only protects you against illegal evidence acquisition by the government. If a private party illegally gathers evidence against you (without any government prompting), that is admissible. See for instance Burdeau v. McDowell [1]. Another interesting case on this topic is Sackler v. Sackler [2], where the New York State Court of Appeals held that evidence illegally gathered by private investigators (working for one of the divorcing spouses) was admissible in divorce proceedings.
That's true. However, using credentials harvested in this way is almost certainly going to constitute unauthorised access of a computer system and a breach of the Computer Misuse Act.
[1] https://scholar.google.com/scholar_case?case=107551340662323...
[2] https://scholar.google.com/scholar_case?case=641943334909742...