(I work at Facebook but don't know anything about the event in question or if this post is accurate)
I suspect it wasn't actually a "0-day" in that sense, but rather a disclosed but unpatched vulnerability, and described as "a real 0-day exploit" in the article because of the typical reduced fidelity of press articles.
But then what about this :
"The engineer's computer was compromised using a real zero-day exploit targeting an undisclosed piece of software. (Facebook promptly reported it to the developer.) It allowed a "red team" composed of current and former Facebook employees to access the company's code production environment. (The affected software developer was notified before the drill was disclosed to the rest of the Facebook employees)."
Does that mean they used the discovery of the vulnerability as an opportunity to create the drill (as a "might as well use this" scenario) or was the drill planned with the 0-day and then the developer was notified?
Which came first here, the vulnerability or the plan for the excercise? I would imagine priority would be to patch the system rather than plan a drill, no?
I suspect it wasn't actually a "0-day" in that sense, but rather a disclosed but unpatched vulnerability, and described as "a real 0-day exploit" in the article because of the typical reduced fidelity of press articles.