1. Some code pulled into this script and licensed under a BSD licensed is noted as being pulled from another codebase that is not open source.
2. The script in question takes a list of emails and a password. Then it sprays the API (trying each email as a username with the passed in password) until it finds one that works. I would be curious of the technical details on rate limiting of Mimecast and the legitimate uses of this codebase.
Then the social issue... if you look at the codebase it appears to have nefarious uses (are there legit ones?). Should companies or people take legal courses of actions to protect themselves? If so, when?
Note, I understand the line between security research and nefarious actions. This doesn't appear to be about security research. Or, am I missing something?
This right here is the problem with social media: A company or person's reputation can get tarnished simply because a tweet gets popular. It's modern day mob rule.
It seems strange that someone would make a public claim that sounds this serious and provide zero context or details.