Yep. To give production credentials to a junior, on their first day of employment, is asking for trouble. They should never have been written into this document. Not even a rough draft.
And as far as "legal" getting involved? Well, surely any type of investigation would highlight serious security flaws internally. So the CTO and subordinate managers would be far more screwed than the (ex) new guy.