Ok. How do you access your servers? Console access? That's not locked down via ip then either? So I can login from anwhere in the world?
Yes, you can't stop bad system admins from making mistakes but you CAN also limit damage in other ways. In this case maybe not, but without locking things down to known good IPs, you are missing a very basic security feature that can give a huge increase over not doing it.
So please, "Stop spreading garbage" as this was a basic query for information on how it could happen if network level firewall rules are in place, which they should be.
I VPN with both certificates & passwords, in some cases also with RSA. Never locked down to IP, so yes from anywhere in the world.
The culprit was able to fool an incompetent sys admin into allowing him access. Probably via console, yes, or by tearing down the firewall, changing the passphrase, etc. At this point we don't know if it was a dedicated or VPS.
Garbage might have been the wrong word. Please, stop fear mongering.