That's an oversimplification. What actually happened was: a researcher found a serverside bug in a random backend box, got RCE, logged in, scraped and banked all the creds off the box, reported the bug, and then a month later during a dispute used the creds he stored to attack other Fb properties.
Dumping directories from machines and banking their creds isn't "escalating privileges". If you did that on a pro red team project, saving the creds to use a month or two later, you'd get fired.
The case (or however one wants to construe what or how things really happened) isn't too interesting to me. Do you read FB's whitehat rules of engagement differently?
I dug up the mentioned case, and FB's first contact with the researcher included, "Please be mindful that taking additional action after locating a bug violates our bounty policy." Between FB's whitehat policies and that, I'd be pretty sure not to escalate privileges.
Dumping directories from machines and banking their creds isn't "escalating privileges". If you did that on a pro red team project, saving the creds to use a month or two later, you'd get fired.