There usually isn't activity on dead people's accounts that are memorialized. I'd be incredibly heartbroken if someone took my deceased younger brother's accounts because he's "inactive".
Another anecdote: a friend recently had a stroke and was unable to use his phone or computer for many months. I'm sure his grieving, caregiving family members were not thinking about the ToS specifics of his social media accounts to make sure he didn't lose his memories and identity online.
I think it'd be helpful to have a better definition of "inactive." If the user hasn't posted anything ever, and they don't respond, then sure, that's hard to defend. I think that's fair. But if the user has posted content/code/whatever, it's unfair at best and ethically reprehensible at worst, especially in cases where there isn't a memorialized option, to take over their account just because they don't respond to an email within the window of the ToS. There are lots of things that are technically allowed by law or policy that don't make one that takes advantage of them any less of a subjectively terrible person.
If you had approached this from a perspective of "look what can happen to your account" as a security research experiment, that would have been received better than "look at all the people, including those deceased/incapacitated people whose loved ones may be heartbroken, that lost their accounts to me so that I can have a vanity username."
