Actually, no, they couldn't have. During the period of the problem, it would have been possible to grab Paco's password. But doing so would have shown in the logs and I checked all of the logs and made sure every such access was reported to the account holder. (Most turned out to be people looking at their own accounts.)
I don't know how Paco managed to return, but it wasn't via the method you suggest. And if anyone didn't get notice from me to change their password, then their password wasn't accessed either.