Private Browsing doesn't give any protection. It only prevents Firefox from storing session data in the Firefox profile folder.

• https://support.mozilla.org/kb/Private+Browsing

Always make sure to log out and use a Master Password to protect any stored password.

• https://support.mozilla.org/kb/protecting-stored-passwords-mobile

Not getting hacked requires a lot of things to work correctly. This is not an exhaustive list, but some high level suggestions.

(1) Always send your login over an encrypted connection

When you connect to a sensitive site's HTTPS login page, your browser and the web server will negotiate a secure connection method. Firefox then should display the gray or green lock icon to the left of the URL on the address bar. Only then is it safe to submit your password.

By default, Firefox will verify that web server's security certificate has not expired, is for the server you are visiting, and is "signed" by an authority is recognizes. If Firefox objects to the certificate, you can store an exception. However, such objections may indicate that your connection is being intercepted, in which case the interceptor may be able to read your login. So take any certificate errors seriously and avoid making exceptions unless there is an excellent reason.

(2) Encrypt your entire session whenever possible

Some sites such as Facebook will log you in securely but then switch to HTTP instead of HTTPS. There is a Facebook setting to change this so your entire session is over HTTPS. The reason that's better is otherwise your session credentials (e.g., cookies) can be intercepted and potentially used by others to take actions as your browser. This is a particular concern on open wi-fi hotspots where everyone in the room can see your submissions if they are not encrypted.

(3) Be wary of phishing

Unless you have perfect filters (which is impossible), you will occasionally get emails saying you need to check or update your account and inviting you to login using a deceptive link which allows a third party to capture your login. Be extremely skeptical of any email like that, and always try your regular bookmark or URL to log in rather than a link in an email.

(4) Use good security software

On Android, as well as on desktop operating systems, there are both free and paid apps to check new apps you install and to remove malware. Because software that installs at the system level can monitor keystrokes/finger taps, they can intercept logins before the browser encrypts them.

(5) Keep software up-to-date

Attackers can bypass security software in some cases, by dynamically corrupting a trusted application in memory. In addition to update your operating system and browser, keep your plugins (and other software that can open untrusted content) up-to-date.

I forgot: log out when you are done with a site, and close the tab/window in which you were viewing it. This will make it difficult for anyone else with access to your browser to access what you viewed during your secure logged-in session.