People do this all the time, not only with Twitter keys, but DB connection strings and so on. On Stack Overflow, I edit peoples posts to remove their credentials and then let them know. Nice move on the post - I think it's good to let people know when they have a vulnerability.

So, you want people to buy your security software, and you show how good your software is by abusing credentials you found through scanning?

That’s a bold move, let’s see how it works out for you.