Because it's trivial for him to set up another account and break the service from there. His ability to do this exploit wasn't tied to his specific account. His point was that anyone could be doing this.

=edit= Sorry, I am apparently agreeing with the comment I replied to.

In retrospect, it wasn't that helpful unless they also suspended new account creation, or at least kept an eye on it. But they didn't have that information at that time.

During a security breach, is suspending a malicious user who's currently attacking you really something you sit around and discuss beforehand? Or do you just do it?