"The Development and Operations teams are aware of the situation and the concerns being raised by the community and are discussing the following options:
Requesting that the tool in question be removed and deleted.
Pursuing legal action."

Or, and hear me out Yoshi, how about you don't let the client know about account IDs at all? You can get rid of this tool, throw lawyers at the developer, only for another guy with a chip on his shoulder to make a similar tool, especially since the data is already out on the internet ready for someone else to take advantage of. This is a very weak, short-sighted response, the only real fix is to reassess the implementation of the new blacklist and move towards a more server-side implementation. If you really, really don't want to do that, then you'd have to compromise on only blocking characters rather than account IDs, which defeats part of the purpose of even having these blacklist changes anyway; just bite the bullet and begin implementing server-side blacklists.