This information is dangerous :)<p>A while back I published research on open, unauthenticated ICA (Citrix) instances that could be found by doing basic google queries. I was able to find a lot of interesting targets including some belonging to military and government organisations. I published my findings regarding the discovery without including any details. The blog post was very vague. Anyway, it doesn't take a rocket scientist to figure out what's going on once you know the basics. Someone did exactly this and wrecked a few systems. I was contacted later by the effected organisations holding me directly responsible for the damage that was inflicted. I had no involvement whatsoever but the information that I provided was crucial for the discovery of these targets. This was when I realised that regardless how cool is to publish security research you should always take the necessary steps to ensure that no one is harmed.
FYI: if you don't want to pay shodan for search results, you could run your own port scan using masscan(<a href="https://github.com/robertdavidgraham/masscan" rel="nofollow">https://github.com/robertdavidgraham/masscan</a>) by running the command<p><pre><code> masscan -p27017 0.0.0.0/0 --excludefile data/exclude.conf
</code></pre>
Be warned that this will scan the entire IPv4 namespace.
I honestly blame DigitalOcean a bit for not providing a VPC and/or a centralized firewall. It is tedious to configure iptables rules on each server and easy to overlook and make mistakes.<p>Furthermore, it should be the job of the firewall to limit access to server interfaces/ports, not the services inside of servers. Binding on 0.0.0.0 seems perfectly acceptable, especially for cluster/distributed services that talk amoung themselves.
Holy crap, TWO YEARS to patch an insecure default?<p>Sorry, but if you're using MongoDB in production, this is the point where you should start reconsidering that. Two years to patch such a gaping security hole, regardless of any 'breakage', is <i>completely</i> unacceptable.
Am I right that HackedDB could be because someone who noticed the lack of authentication created such database?<p>If I can connect to an instance without auth, I can also create a DB and collections etc.