It's not that surprising that Facebook is utterly incompetent...though this might go back to before they bought Instagram...I dunno... This sort of insecure password storage isn't exactly uncommon. If a company is ever able to do password recovery rather than reset, then they're likely storing passwords unencrypted. Thankfully that's a lot less than it was in the past.
Also not exactly surprising they would store people's contacts. To not do so, you're have to trust that they would delete them after having access to them, after constantly hounding you for them all the time to find your "friends".
Books could be written about their poor practices.