The Android app is most popular in Brazil, Mexico, India, Indonesia, and the Philippines, as well as other countries in South Asia with older 2G and 3G GSM networksmarkets where Facebook has experienced much of its recent growth. Lite uses a proxy architecture, with an application server running most of the application code and minimizing the amount of data that needs to be sent to the user's phone.And apparently because it was acting as a proxy, the server was acting on behalf of users and logging their credentials for use in connecting to other Facebook services.
While Facebook Lite users make up the vast majority of those affected, other applications were clearly also involvedas Instagram and non-Lite Facebook accounts were also logged.
According to Krebs' source at Facebook, the company may be artificially reducing the size of the possible exposure of passwords.
But these authentication methods may not be easily available to or effective for many of those affected by this or other password exposures. Using SMS-based 2FA over 2G networks with weak encryption doesn't seem ideal, and thanks to Facebook's use of phone numbers to find profiles, connecting a phone number with a Facebook username is fairly simple.
Original article