I've come across unprotected Memcached deployments in a couple of pen-tests. On one engagement in particular someone poking Memcached would be able to (temporarily) increase their account balance and even access CC numbers from recent transactions. :(
As far as I see it, this is one of the unintentional side effects of "hosting in the cloud". If you had co-located servers you'd whack up a firewall and only allow your internal IPs to access non-HTTP ports. Alas everyone now just spins up an S3 image and palms it off to Amazon.