Comment by pjdemers

Even startups have contracts with their customers about protecting the customer's data. If it is consumer data, there are even stricter privacy laws. Leaving the production database password lying around in plain text is probably explicitly prohibited by the contracts, and certainly by privacy laws. The CTO should pay him for the rest of the year and give him a great reference for his next job, in return for him to never, ever, ever, tell anyone where he found the production password.