One server without two factor got them owned? Makes you wonder what else was going on. Did they have ssh keys or something that got them further into the network?
That just got them onto a box within the network. That's the biggest hurdle. Once you're inside, you could start poking around for weaknesses and exploit whatever you find.