My outside impression is that security is taken seriously enough at Facebook to hire highly competent people to run it. They pay out bug bounties, and run internal red team exercises to test their own ability to detect and react to a compromise. https://threatpost.com/how-facebook-prepared-be-hacked-03081...
I think we can extend them enough benefit of doubt to rule out storing user passwords in plaintext.
During my new grad interview there I was made privy to some very questionable security decisions that they mentioned linked to PCI-DSS, but nothing on this level.
Edit: PCI compliance rules out plaintext storage so it seems unlikely.
It's worth noting that plaintext storage might not be the case if they store the fourth and only the fourth character separately at encryption time.
The only people that can positively rule out plaintext storage are Facebook engineers, which are generally competent, especially with something as simple as storing password hashes.
At least in this thread, people seem to be giving FB the benefit of the doubt on that particular anti-pattern.
Can anyone rule out plaintext storage?