He should serve 1 day in jail for each credential sold. Done consecutively.
That - or my favorite proposed punishment for hackers and computer virus spreaders is that everyone who is effected by their actions gets to kick them in the junk - just once.