Got an email saying my password is weak, reason for concern?
They do not need to be able to read your password to test it against known weak and guessable passwords. All they need to do is to try all the guessable passwords against your password. It can be properly hashed and salted, as they are supposed to do.
They can do this quickly because they have legitimate access to the password hashes and can simply have tests running in the background. There are even services out there for companies to use that hold leaked passwords from other known leaked password databases.
Of course, once they test it, then they might know what your password is (depending on how they tested it), but then, so can attackers using the same method.
So, there is no indication of improper password handling. No reason for concern. But, if their automated testing found it, then your password is probably very guessable and should be changed as soon as possible.
The email may be totally legit, you don't actually need to know the password in plaintext to know that it has been part of a data breach, just that the hash of your password is in a data breach, that's how the API of haveibeenpwned works for example.
Furthermore if your password is weak you should probably change it :)