There's so much wrong here that I'm not sure if this is a troll - that is to say, this is a perfect storm of things that shouldn't have happened. I do think any sensible distro would not nuke your system with rm -rf / and depending on the nature of the hack, chances are your system was just a dumb node for a wider botnet - I'd do sensible things like changing your passwords, and keeping an eye out for strange transactions but not panic so much.
Using a default password is dumb. I rarely use the word, but it totally is suitable.Brute force-scanning for ssh and other vulnerabilities like old phpmyadmin versions is trivial, when you already have an army of badly secured systems with passwords like toor floating around. The obscure dinky little machines, the RPIs and IP cameras are the weapons of choice these days, since they're badly secured, as yours was. One machine is meh, a hundred are scary... well these comedians took out chunks of the internet, and machines set up as yours were "oh, no one will ever hack us" are part of the problem. For that matter, from my own (painful) experience, I'd consider a pure password SSH login, without a key insecure. Having toor as a password would just be unacceptable.
So in future, you'd want to pop the SD card into another box to run an AV scan or zip up the contents, copy it over to another system and scan the archives. That should tell you exactly what the threat is.
You'd also want to disable root ssh logins (which are a terrible habit). I actually typically don't even set up a root password, preferring to use sudo as needed. If you're VPNing in anyway, consider restricting SSH to your VPN and home IP address ranges.
While microwaving is a little extreme, a full reformat and reinstallation, and setting up your rpi to sensible defaults is a good idea.
