[ralphington]

What kind of database auth did you have? Wouldn't they have had to access config files or related in order to obtain your passwords, usernames, etc?

[beermonster]

I think by default mongodb has no enabled access control, so there is no default user or password.

[vultour]

Am I misunderstanding or do people launch their Mongo container without even MONGO_INITDB_ROOT_{USERNAME,PASSWORD}? It's clearly mentioned in the image README. Takes 15 seconds to set. I'd be incredibly concerned if anybody with more than a day of infrastructure experience did this, even worse on a production database.

[pm90]

How is this acceptable… requiring a password, even a weak one might have at least bought some time in this situation.

[beermonster]

See https://acowebs.com/mongodb-security/

[dheera]

Mongo is so insecure that it's commonplace to not bother with usernames and passwords and just firewall the hell out of it instead. Plus that's one more plaintext password you'll end up storing all over the place. Its default configuration requires no authentication.

Not saying it's a good practice but it's a common pattern I've seen.