At least as of February 1, here's the answer to your question:
They're salted and hashed, but the hash is a weak one, and the salt is static for all accounts, and is stored directly inside the (now leaked) codebase.
They were working on rolling out a newer, more secure, individually salted password, but at least as of earlier this year that process had not been completed. Passwords were being rehashed in the new format upon successful login, but for legacy purposes the old passwords were still in the database, kind of defeating the purpose.
I've heard a lot of people say that FA shouldn't be blamed for the actions of a few rogue hackers, and while I agree that FA isn't to blame for this particular act of aggression, there is no doubt whatsoever that they've failed as a corporate entity to protect your data in the way you would reasonably expect from any similar enterprise.
They've known about the insecurity of their password scheme for months now, as evidenced both by their previous attempts to roll out a new hashing scheme, and my own personal warnings to them as I was in the process of writing the replacement web app, which used both individually salted and bcrypt slow-hashed passwords.
Had they not scared me (and every single competent developer before me) away, it's likely that FA would be running on this new codebase, and could have mitigated a huge amount of these losses. Hell, the new code was built to be open-source from the get-go, so a leak would've been meaningless.
When you consider that FA actively knew that their accounts were insecure, were warned by IT professionals repeatedly to change and update their system, and failed to do so until right now, when the worst has already happened and your accounts are already compromised, there's just one word for that: negligence.
Beyond just negligence, there's also an element of betrayal of trust, when you consider that: