[simonw]

I'd argue this metaphor is why it IS appropriate to use the word "hack" here.

If you left your door unlocked and someone stole your stuff, that's still a robbery.

If you left your database accidentally midconfigured and someone stole your data and left you an extortion notice, that's still a "hack".

Is misconfiguring MongoDB really that different from e.g. installing a Wordpress plugin with a security flaw and getting hacked via that?

[koolba]

> If you left your door unlocked and someone stole your stuff, that's still a robbery.

True but hack in this context would be metaphorically closer to "breaking and entering". If your door is open, you've only got the latter half (from an english, not legal definition).

> If you left your database accidentally midconfigured and someone stole your data and left you an extortion notice, that's still a "hack".

I suppose it's a matter of semantics for me. If I use the word "hack" I'd expect a bare level of finesse to get past some defense or prevention system.

> Is misconfiguring MongoDB really that different from e.g. installing a Wordpress plugin with a security flaw and getting hacked via that?

Not in my book. They're all terrible decisions but then again anything that involves "Using X without understanding the implications of the default set up of X" tends to be a terrible decision.

[Veratyr]

I don't think you quite understand the comment you're replying to. By my reading at least, it's saying "hack" = "heist" and that "heist" is being used somewhere where "robbery" is more appropriate.

I agree that if you leave your door unlocked, it's a robbery but it's not a heist. Likewise, if you leave your database publicly accessible, it's extortion through technical means but it's not hacking.

> Is misconfiguring MongoDB really that different from e.g. installing a Wordpress plugin with a security flaw and getting hacked via that?

Yes. A service that is configured to be publicly accessible is very different to a service that requires active exploitation. Misconfiguring MongoDB is more like making your Wordpress admin page the home page and removing all login requirements.