I'm not sure I agree with your assessment of username and password . Usernames and passwords passed in plain-text are de minimis security. At best, at least under United States law (I'm not sure how Dutch law treats IP) the information may be classified as a trade secret. But copyright infringement has not occurred because direct copyright infringement requires actual copying.
This would be a perfect example of security by obscurity. A poster argues above that the same argument can apply to the configuration of key bumps, so that this can't really be called security by obscurity , but in actuality all that StO comprises is security where an attacker's knowledge of the vector alone will constitute access. In the case of a key, the attacker must have 1) the knowledge of the key configuration, and 2) a blank key with a method to cut that key. SbO is hiding a key under a rock; knowledge of the location alone is all that is needed to compromise the security portal, and no other device is required other than the vector. I'd say it would be presumptive to say "we all agree" that information such as that should be confidential, since, to some degree, it requires a "looking the other way" and 3rd party nondisclosure to keep the security valid and uncompromised. You'd essentially be saying that we should bind all people, as a matter of law, to nondisclosure to protect poor security. Tennessee did that with Netflix passwords, and there's a very strong argument that such a law is blatantly unconstitutional as a limitation of free speech. Denmark'sMMV, however.
If the copyrighted works are accessible by simple knowledge of an arrangement of characters in a hyperlink, and no other security measure is required, then they are protected only by StO. Depending on what you're talking about, this may be enough. U.S. trade secrets require 1) something that provides economic advantage by being kept secret, and 2) reasonable efforts to keep that thing secret. StO might well-enough be reasonable, though not advisable, to protect trade secrets. But this wasn't a trade secret case. It's a copyright case. In many countries, and for a while in the United States, copyright requires disclosure of copyright notice, which means disclosure of the work. You couldn't keep something locked in a vault, and then when someone published something allegedly infringing, you pulled the item out of the vault and claimed copyright infringement.
Furthermore, in order to constitute copyright infringement, copying must actually occur. I'm assuming this was a contributory copyright infringement case, similar to U.S. P2P uploading cases, but even under such rules, generally at common law, contributory or secondary copyright infringement requires more than a provision of a link. The Dutch Supreme Court has established that hyperlinking to copyright material is not copyright infringement. This ruling, which states that hyperlinking to copyrighted material is copyright infringement, stands in contest to that, no matter what way you want to spin it. It should be overturned. If the plaintiff had brought a misappropriation of trade secrets claim, then it might have had more success. But copyright infringement through hyperlinks, either direct or contributory, is not a recognizable wrong.