Users passwords were never visible to anyone outside of Facebook and there is no evidence to date that anyone internally abused or improperly accessed them. Facebook notifies hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users. Facebook Lite is a version of Facebook predominantly used by people in regions with lower connectivity.
Facebook always protects people’s information, and makes improvements as part of ongoing security efforts at Facebook.
In line with security best practices, Facebook masks people’s passwords when they create an account so that no one at the company can see them. In security terms, they “hash” and “salt” the passwords, including using a function called “scrypt” as well as a cryptographic key that lets them irreversibly replace your actual password with a random set of characters. With this technique, Facebook can validate that a person is logging in with the correct password without actually having to store the password in plain text.
Facebook uses a variety of signals to detect suspicious activity. For example, even if a password is entered correctly, they will detect that it is being entered from an unrecognized device or from an unusual location. When a suspicious login attempt is made they ll ask an additional verification question to prove that the person is the real account owner. People can also sign up to receive alerts about unrecognized logins.
Knowing some people reuse passwords across different services, they keep a close eye on data breach announcements from other organizations and publicly posted databases of stolen credentials. They also check if stolen email and password combinations match the same credentials being used on Facebook. If found correct FB will notify you next time you login and guide you through changing your password.
To minimize the reliance on password ,the ability to register a physical security key to your account is added, so the next time you log in you’ll simply tap a small hardware device that goes in the USB drive of your computer. This measure is particularly critical for high-risk users including journalists, activists, political campaigns and public figures.
Tips to keep your account safe
You can change your password in your settings on Facebook and Instagram. Avoid reusing passwords across different services.
Pick strong and complex passwords for all your accounts. Password manager apps can help.
Consider enabling a security key or two-factor authentication to protect your Facebook account using codes from a third party authentication app. When you log in with your password, Facebook will ask for a security code or to tap your security key to verify that it is you.