At the time MongoDB shipped with all databases completely public, with no authentication credentials.
That meant anyone could connect over HTTP and get your data.
From the article:
The problem for MongoDB users seems to be that on some systems the default configuration has the database listening on a publicly accessible port as soon as it’s installed. Users are supposed to read the manual and set up access control and authentication after installing the software but it seems that plenty of them don’t.
Yeah, I recall. Certainly that was a major screw up but, IMO, the users share part of the blame -- if they had a firewall in place this wouldn't have been an issue.
Mongo shares the blame for making it the default and making authentication such a pain to deal with:
- Command line login never works, you have to get into Mongo shell, then authenticate.
- Attaching multiple db permissions to one user has all kinds of gotchas to: I have to switch to each database and re-auth instead of just authing to the user and then switching DBs without further auth.
