[cle]

Most routers I've seen have a setting to enable "remote management". The DIR 655 does (see pg. 75 of its manual). If you have enabled that, then its login page is accessible via the Internet.

Many small businesses not only have unprotected file shares, and have remote admin turned on so that their IT person can administer the router remotely (as silly as it is). I saw this so many times when I worked in IT. People make all sorts of assumptions about LAN privacy when setting up their network and devices.