Decent or not is irrelevant to the triggering of the breached credentials. You could have the best possible password ever, once you give it to a service that stores it plain text it's game over.
The actual password issue here is password reuse and what should have been done is not having a facebook account in the first place. Is it even possible to get out of facebook once your data is in there ?
The user being the account owner, we do know (provided we trust him) that it was not him so yes it was reactivated without any user input.
From what I gather it could be that email/password was used on another service that got breached and either a bot or someone trying all those breached credentials on facebook caused the reactivation, or a relative that knew the user/pass or facebook trying to collect more personal data on old inactive accounts and inadvertently getting exposed once again.
The actual password issue here is password reuse and what should have been done is not having a facebook account in the first place. Is it even possible to get out of facebook once your data is in there ?
The user being the account owner, we do know (provided we trust him) that it was not him so yes it was reactivated without any user input.
From what I gather it could be that email/password was used on another service that got breached and either a bot or someone trying all those breached credentials on facebook caused the reactivation, or a relative that knew the user/pass or facebook trying to collect more personal data on old inactive accounts and inadvertently getting exposed once again.