The service checks credentials to see if they match those being used on Facebook. Once it finds a set of stolen credentials, it passes the data into a programme that analyses it in computer language.
An automated system then checks it against the Facebook database to see if any of the email addresses and hashed passwords match login information on Facebook, news agency reported.
"Theft of personal data like email addresses and passwords can have larger consequences because people often use the same password on multiple websites," Facebook's security engineer Chris Long wrote in a blog post.
"We built a system dedicated to further securing people's Facebook accounts by actively looking for these public postings, analysing them and then notifying people when we discover that their credentials have shown up elsewhere on the Internet," he said.
If it finds a match, Facebook notifies the affected user the next time they log in and guides them through a process to change their password, the report added.