Facebook is taking advantage of the fact that hackers will often post their stolen data on Pastebin for all the world to see. So whenever a hoard of usernames and passwords leak from other sites, Facebook goes in, swipes the stolen credentials and checks it against its own user database. Should it find two sets that match, the user will find something like this alarming little notification upon his or her next login. This doesn’t necessarily mean that Face knows what your actual password is. Instead of comparing two sets of plain-text passwords, Facebook is comparing their encrypted counterparts.”]
Source: https://gizmodo.com/how-facebook-uses-leaked-passwords-to-keep-your-account-1647634212