Even by the broadest possible definition of a breach, this is still just a control failure rather than a breach. The control that failed might have made it possible for Meta employees to perpetrate a breach, but the article makes no mention of that happening, or provides any suggestion that there is evidence that it might have happened.
At at least one point in my career, I have also accidentally mishandled password data (I accidentally leaked them into a log one time - well one time that I know of at least). When I did that I caused a control to fail, and I caused a security incident that required follow up remediation work (including password resets and disclosure), which is exactly what happened here. But I did not cause a data breach to occur. I struggle to image a world where I could have caused my employer to be fined $102M for that incident, and for that to be deemed a data breach, when there is no evidence (presented or referenced in this article at least) that a breach ever occurred. If I leave the office and forget to lock the door, I've caused a control failure. But if nobody comes in to rob us, then I haven't caused a robbery or a breach or anything else like that to occur, even if a typical security policy might require me to lock the door before leaving.
The creativity required to come to this conclusion doesn't do anything to improve the credibility of the GDPR, which from an outside perspective really doesn't look like anything other than an import tariff on foreign tech in disguise.
I like to think of a breach as hole through into the hull... they don't mean the boat will sink or even ever will sink; just that the layers of security protections has been compromised.
In the case you mention it seems that happened too: internal actors could reach plaintext passwords and thus for safety the company responded by forcing password reset and disclosure (commendable as I know of companies that would not).
The term "personal data breach" is useful because it defines the range of breaches that the law focuses on (it's not interested in business data or incidents where the first layer of defence fell but the second kept it secure).
I feel it's a bit like having a determination for "road traffic incident". It helps the public, police, etc identify what is in scope... just because you have one doesn't mean you'll lose your licence or be fined - that depends on a range of factors regarding the lead up to the incident: what happened before, during and after. Similar with data breaches.
If a company has a breach it does not mean much in GDPR unless other factors are considered, so I wouldn't worry about being too focused on the term breach.
At at least one point in my career, I have also accidentally mishandled password data (I accidentally leaked them into a log one time - well one time that I know of at least). When I did that I caused a control to fail, and I caused a security incident that required follow up remediation work (including password resets and disclosure), which is exactly what happened here. But I did not cause a data breach to occur. I struggle to image a world where I could have caused my employer to be fined $102M for that incident, and for that to be deemed a data breach, when there is no evidence (presented or referenced in this article at least) that a breach ever occurred. If I leave the office and forget to lock the door, I've caused a control failure. But if nobody comes in to rob us, then I haven't caused a robbery or a breach or anything else like that to occur, even if a typical security policy might require me to lock the door before leaving.
The creativity required to come to this conclusion doesn't do anything to improve the credibility of the GDPR, which from an outside perspective really doesn't look like anything other than an import tariff on foreign tech in disguise.