Will not.
Unless they linked the second account to the first one, but it’s unlikely, especially if it’s some kind of online game, where, according to tradition, developers don’t care about cheaters.
More like a thank you. Well, stimulate to look for vulnerabilities further.
You had to do some decent damage for them to want to punish you.

One must always remember the saying: "No good deed goes unpunished."
According to the subject - it's better not to get involved, because there is a big risk that they will try to hang all the dogs on you (failures in the site, hacks by other hackers, and simply the incompetence of the attendants). Of course, in the end, you will certainly be acquitted by our humane court. But to be under investigation, to survive the seizure of office equipment as material evidence and other delights - do you need this?
For the future - if you find a bug and want to make money, offer to conclude a written contract for a "security check". Only in this case you will protect yourself from fools. But it is not exactly.

I would not.
It's about the same as you walk down the street and find a gun / a bag of dope / a wallet with a hundred thousand bucks. What to do in this case? Yes, just pass by.
Why? Yes, because if you didn’t conclude an agreement to test the site for breaking resistance or search for errors, they can sew on Criminal Code 272. Of course, they can’t sew it on, but all the same, your nerves will be pretty shaken.

I found this in one site, but I reported the hole publicly. There was a temptation to somehow use it and collect a database for all users of the site, but laziness won out. As a result, after the message, everyone could make sure there was a problem, and after 1-2 days the developers fixed it. A few years have passed - no one was persecuted. But they weren't awarded.
PS do not think that there was critical information, only emails