That said, he could have gone "gray-hat" and used the source to find in-scope bugs. Such a resource would be invaluable to an exploit author or bug bounty hunter.
You're right, but it will still get you into legal trouble. Not only may you not get a bounty, but they might sue or press charges for essentially copying and scanning their source code.
Generally "gray hat" and "corporation/law-friendly" don't mix, even if there are some cases that call for it.
From Wikipedia, which agrees with my understanding of the phrase: "… such people sometimes act illegally, though in good will, to identify vulnerabilities in computing processes." My point, though, is that it's hardly out of scope when it's a valuable resource for developing novel attacks on in-scope domains.
Using login in credentials that are not your own found in a public place to take source code is like finding someones house key on a park bench and coping their secret invention designs or trade secrets.
As I read it, he didn't use the credentials to take the source code; he found the credentials in the source code. He used the credentials merely to verify the credentials were valid.
Define "take" source code. Do you mean "read" or "access" source code? I know this is an aside, but I think we as a community need to be more judicious in our use of criminally-accusatory words, especially when it comes to taking/stealing/theft vs copying vs distributing/selling vs reading/watching/accessing. They're all very, very different things.
You read my post in the ~5 secs widow where it had the word "take." It was the wrong word because in the case I was talking about it would not have deprived Prezi access to their source code.