By Tim Greene
Jan. 12, 2017
MongoDB was never designed to be publicly facing, so it has no built-in authentication. It can be added, Wikholm says, but clearly an enormous number of people chose not to. Judging from the volumes of data these servers contained, many were likely used for business purposes and so likely had admins who missed the chance to protect them and failed to heed warnings.
The lesson to learn from this incident is to better evaluate security warnings. Consider them from the criminal point of view and look for a way someone might make money from exploiting them, Nixon says. When that potential is there, act quickly because someone is surely going to do so soon.