Why do you say Facebook has the means to mitigate this quite easily? That's not really true as I understand it.

The problem is that these announcements are made by third parties, and accepted by fourth parties, both of which Facebook has no control over.

While it's possible for Facebook to implement some controls over what routes THEY accept and therefor what routes Facebook sends traffic TO - it cannot control where others send traffic. If a third party advertises Facebooks routes to a fourth party, and they accept them, Facebook cannot do anything directly about that. And then those fourth parties accepting the routes will send traffic TO Facebook via the third party.

I didn't look to see how much of Facebook's ranges got hijacked. Assuming some got hijacked and others didn't (which is usually what happened), they could direct more traffic to ranges that weren't hijacked (assuming their DNS ranges didn't get hijacked). For the ranges where the hijacking wasn't at the /24 level, Facebook also has plenty of staff who could adjust to advertise more specific routes. All the big internet companies with ASNs should have that though; but the smaller places that probably got hijacked too may not.

Disclosure: I used to work at WhatsApp, including while it was part of Facebook. Everything in this message is armchair routing policy though.

With a leak this size that could have blown up the table and caused some serious problems.

Max prefix kicked in and tore down the sessions before that damage started (it's also why it was so short).

Not really, see some explanation there https://dyn.com/blog/iran-leaks-censorship-via-bgp-hijacks/ and there https://www.youtube.com/watch?v=IzLPKuAOe50