[nacs]

> i.e. the default configuration

The default configuration for MongoDB is to listen on localhost only. Someone changed the configuration if it was listening on a public IP.

[drzaiusapelord]

This is only true after the Mongo people were lambasted on the web for having such a terribly insecure out of the box product. Which was fairly recently. For years the product would bind to all IP addresses. Which is insane for a default install.

Feb 2015:

Discovered 40,000 vulnerable MongoDB databases on the Internet

http://securityaffairs.co/wordpress/33487/hacking/40000-vuln...

The changes were made after this, so we're only talking a few months now.

[gruez]

>The default configuration for MongoDB is to listen on localhost only

That's true, but I remember that change was only made recently. Before, mongo would listen on all IPs and had no passwords.

[eli]

Some official distributions listened to all addresses by default (by design) until recently. https://blog.shodan.io/its-the-data-stupid/