I think you may not understand how a cryptographic hash works. In the scheme you are describing, the password is typically hashed on the client side (along with some value specified by the server which changes every time). When the server gets the hash, it hashes the password (as stored in the DB and possibly also hashed) along with the same value and compares the result.
Regardless, what this plugin does is not steal passwords, but simply looks for authenticated credentials (usually cookies). See, once you authenticate, the server gives you a cookie (your session identifier) that you pass back with every request to prove you are who you say you are. Since the traffic is not encrypted, this can be intercepted by anyone on a network between you and the facebook servers. If you live on a college campus or work for an ISP, this could very well be many people.
Even if Facebook is smart enough to tie this session to your IP, it's likely that someone in a correct network position to sniff your packets can also viably spoof your IP (both sending and receiving). This is effectively the same as them hijacking your account except the ability goes away when your session expires.