You had to clear the cookies from Facebook or use the Forgetful Browsing on it or TEMP Ephemeral Storage on the first party cookies to force your browser to ask for a login every time.
The question is, why didn’t you enable 2FA in your Facebook account? that would protect you if someone tries to log in, because at least the system is able to protect you from people trying to log in from somewhere else.
The thing is, If you have other the same password in other services and those services got hacked, that’s how must of the issues happen, people using same username/email with same password and then they are in a database bad guys buy and they can try to input your information and many times it works.
Cookies can be copy and pasted, easily, accessed in the same system easily. It is only when you try to access them from another computer or user, where the encryption starts kicking in, but if someone had access to your computer, they could have access anything they wanted.
Even if the browser ask for your account password to see passwords, the truth is 3p programs can access the passwords without it so it is just an illusion of security.
But sometimes when you change locations, like countries, you are still requested to login, but I don’t know how secure Facebook is so I can’t say much about it in that aspect.
What does Facebook says about your logins? it should have info about it, for example, once someone used my email to their garbage Facebook account, and I had to reset password, login and delete the account.
By downloading the info I could see that the logins were from specific IP and Country and all that.
I think they display that info inside Facebook, but I still downloaded just it in case, I saw the same person opening a Facebook account with my email.
So you should check and see where they logged from, because I doubt it has to do with cookies, it would require too much, like using Teamviewer or somethinfg like that. When they could have just do more harm than hacking a Facebook account.