It's relatively common for publications to lazily only reference an action that resulted in a legal outcome, rather than the justification provided for the outcome.
For instance, Bob imprisoned for car bomb rather than Bob imprisoned after judgement rules deaths unlawfully resulted from Bob's malicious car bombing.
Had Bob's car bomb been on a film set and no one hurt, Bob would hopefully be fine.
If you read coverage with this in mind, then what matters is more a case of how likely an action is to be unlawful and thus how lazy the publication is being.
If someone blows up a car, we'd assume it was unlawful. If a company stores passwords unlawfully we'd assume it was unlawful and hopefully for good reason...
From GDPR: "personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed"
A typical security policy for securing passwords is to never store them in plaintext.
It would be a rare situation for the storage to not be accessible (what would be the point of storing it).
Thus it would seem fair to assume that in most cases plain text storage of passwords would be a breach of security (internal controls breach) would implicitly also be a breach of personal data (legal definition) as it would at the very least be accidentally accessible to staff, contractors or third parties (whoever hosts the storage).
So, it will likely fit the definition of a breach.
But, it still needs to escalate to a point where it would be recognised as serious enough to warrant action (like reporting to data subjects or regulators).
There are situations where storing passwords in plaintext may not warrant reporting or fines, such as if upon realising the breach it was evident that nobody had accessed the data and it was destructed before harm could be realised; but I doubt anyone would ever know about these situations happening in companies so it's fair to assume they wouldn't reach major news sites.
Even by the broadest possible definition of a breach, this is still just a control failure rather than a breach. The control that failed might have made it possible for Meta employees to perpetrate a breach, but the article makes no mention of that happening, or provides any suggestion that there is evidence that it might have happened.
At at least one point in my career, I have also accidentally mishandled password data (I accidentally leaked them into a log one time - well one time that I know of at least). When I did that I caused a control to fail, and I caused a security incident that required follow up remediation work (including password resets and disclosure), which is exactly what happened here. But I did not cause a data breach to occur. I struggle to image a world where I could have caused my employer to be fined $102M for that incident, and for that to be deemed a data breach, when there is no evidence (presented or referenced in this article at least) that a breach ever occurred. If I leave the office and forget to lock the door, I've caused a control failure. But if nobody comes in to rob us, then I haven't caused a robbery or a breach or anything else like that to occur, even if a typical security policy might require me to lock the door before leaving.
The creativity required to come to this conclusion doesn't do anything to improve the credibility of the GDPR, which from an outside perspective really doesn't look like anything other than an import tariff on foreign tech in disguise.
I like to think of a breach as hole through into the hull... they don't mean the boat will sink or even ever will sink; just that the layers of security protections has been compromised.
In the case you mention it seems that happened too: internal actors could reach plaintext passwords and thus for safety the company responded by forcing password reset and disclosure (commendable as I know of companies that would not).
The term "personal data breach" is useful because it defines the range of breaches that the law focuses on (it's not interested in business data or incidents where the first layer of defence fell but the second kept it secure).
I feel it's a bit like having a determination for "road traffic incident". It helps the public, police, etc identify what is in scope... just because you have one doesn't mean you'll lose your licence or be fined - that depends on a range of factors regarding the lead up to the incident: what happened before, during and after. Similar with data breaches.
If a company has a breach it does not mean much in GDPR unless other factors are considered, so I wouldn't worry about being too focused on the term breach.
For instance, Bob imprisoned for car bomb rather than Bob imprisoned after judgement rules deaths unlawfully resulted from Bob's malicious car bombing. Had Bob's car bomb been on a film set and no one hurt, Bob would hopefully be fine.
If you read coverage with this in mind, then what matters is more a case of how likely an action is to be unlawful and thus how lazy the publication is being.
If someone blows up a car, we'd assume it was unlawful. If a company stores passwords unlawfully we'd assume it was unlawful and hopefully for good reason...
From GDPR: "personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed"
A typical security policy for securing passwords is to never store them in plaintext.
It would be a rare situation for the storage to not be accessible (what would be the point of storing it).
Thus it would seem fair to assume that in most cases plain text storage of passwords would be a breach of security (internal controls breach) would implicitly also be a breach of personal data (legal definition) as it would at the very least be accidentally accessible to staff, contractors or third parties (whoever hosts the storage).
So, it will likely fit the definition of a breach.
But, it still needs to escalate to a point where it would be recognised as serious enough to warrant action (like reporting to data subjects or regulators).
There are situations where storing passwords in plaintext may not warrant reporting or fines, such as if upon realising the breach it was evident that nobody had accessed the data and it was destructed before harm could be realised; but I doubt anyone would ever know about these situations happening in companies so it's fair to assume they wouldn't reach major news sites.