Is this a joke?
This is awfully close to "if you see something bad happening, just ignore it" which I find rather ridiculous. I think the morally correct thing to do is inform them privately and, if the owners of the site don't respond (or block you, like in this case), go public so that laypersons know their information is not secure.
A 2 second google search for kidspass uk shows a sitelink for their "Contact Us" page, listing both a phone number and email address: https://www.kidspass.co.uk/contact-us
So unless that page was added post-incident, then IMO both Alex and Troy did not do responsible disclosure.