Re: Out of band management?
That's simply untrue, it's actually far easier to secure out-of-band than normal in-band access. In band access has to be provided on a wider basis for many use cases and many users. The attack-surface and number of potential vulnerabilities are many times greater than OOB done properly.
For a company the size of Facebook, implementing a secure OOB network is trivial. Point to point ethernet over fibre, mutually authenticated point to point VPN (authenticated by cert and another factor), physically secured and dedicated terminal in remote Facebook office. Designated engineers using multifactor auth and protected, physically secured creds, plus a code only the engineer knows. Monitored 24/7.
I suppose you could dig up the fibre, splice to your identical hacking hardware, use the cert you previously nicked from the physically secured and network isolated machine in the FB office. Then get your coconspirator (who has managed to break into the live datacentre) to go through the mutual auth process with you. Then log in with the physically protected credentials and MFA tokens you have stolen from the Facebook offices, along with the access code that only the designated engineer(s) knows. You would of course have to do this before the 24/7 sec ops team saw the link go down.
Your other option would be to go to Facebook HQ, bash all the guards on the head with a truncheon and make your way through their labyrinthine super-secure building, get to the physically secured terminal, read the mind of the engineer(s) with access codes, get the MFA tokens from the other safe. Again, this would have to be done before sec ops found out that HQ is under attack by hackers armed with truncheons, bashing guards on the noggin and running round the offices like barbarians in Rome.