[davidbrennerjr]

I can't believe people are victim blaming the db admins for not knowing about vulnerability. What good comes of destroying the db instead of talking about the vulnerability to the open source projects? Coincidentally shodan; that I've never heard of.

[tgsovlerkhgsel]

There's a difference between a vulnerability, and a common misconfiguration that usually comes from a "make it work first, security later" mindset.

The good that comes from destroying the DB is:

a) the data is no longer exposed to the Internet, where more malicious actors could take it, affecting the customers of the incompetent company

b) ignoring it stops being a viable option - leaking your customer's data all over the place often doesn't have sufficiently obvious and severe consequences for the company doing the leaking to discourage it. Disruption that breaks production will get their attention, and they likely will secure their database in the future.

(No moral or legal judgement regarding this action, just answering the "what good comes of it" question.)

Edit: Also, someone commented further below on the difficulty of doing it the right way - it's hard to contact the companies, and it's even harder to get them to actually listen and fix it instead of ignoring it or trying to "shoot the messenger". This approach may be wrong and/or illegal, but it it much likely to actually draw the attention of the right people, and prevent them from simply ignoring the problem.

The companies running those open databases aren't just victims; they're also perpetrators of privacy violations. In many cases, they're even collecting data for a purpose that the data subject receives no benefit from.

[heretoo]

So, you've answered "what good comes of it".

For completeness, would you mind answering, "what bad comes of it?"

[jabroni_salad]

You don't need to be a carpenter to know that you should install a lock on the front door of your house. How does anyone get to the point of standing up a production db and is allowing writes from unauthenticated connections?

I am pretty salty since as a sysadmin, I have been getting 'just pipe it to su bash' and 'i need allow any any' and 'bro I need chmod 777 on this directory and all its children' and 'bro this service account has to be a domain admin' from developers my entire professional career. Everything that there is to say has already been said and I am not really sure what to do about it. Nobody is out there peddling these cool fixes as truth and yet they seem to have a cult all the same.

What can we do to make this common knowledge? This needs to be on the same level as washing your hands and not accepting candy from strangers, yet every week we see a new data breach that boils down to 'somebody used the rights as they were designed'.

[dilandau]

Victims are not the DB admins. Victims are the people whose private data, or data they expect to be private, is exposed due to developer incompetence.