Biometrics are not passwords. The key attribute of a password is that it's revocable. You only have 10 fingers. If you're using fingerprints as passwords you've got 10 for your whole life, and you leave 'em everywhere, including on the screen of the phone you're using them to secure. Biometrics are usernames. They identify you, but they shouldn't be used without a password. By definition, fingerprint sensors without passwords are not secure.
As a general guideline, if you can chug half a bottle of vodka and pass out, and a malicious actor can log into your account/device/whatever using just your unconscious body and what's on you at the time, you don't have any security at all.
In 2-Factor parlance, a fingerprint is "something you have", whereas a password is "something you know". Together, they're far stronger than either one by itself.
As for how fingerprints are stored, I have no reason to believe that they're stored differently (in principle) to a password. That is, salted, then digested by some hashing algorithm like SHA-256.
Obviously there's some background magic to account for how presenting a fingerprint is a varied process, but in principle there shouldn't be a way to reverse-engineer your fingerprint from the stored hash.
At best, the local device is compromised, and as long as hash values are salted differently in different locations (as they should be), then it'd be for all intents and purposes impossible to use the obtained digest anywhere else.