[krg]

I'm surprised this is so common. I've never set up any database accessible to the public-- I've already got to worry about securing the public-facing web server, why add another vector for attack?

[siddboots]

Even without being publically accessible, it's a DBA's nightmare scenario. There are plenty of corporate data warehousing environments in which many hundreds of employees have direct access to the database. This exploit would allow any of those employees to drop tables without exposing their credentials.

[selenamarie]

In one case, a large service provider is specifically providing that kind of database access to their customers.

And to be fair: http://www.shodanhq.com/search?q=mysql

[achillean]

You get a lot more results if you search for the service/ port directly! http://www.shodanhq.com/search?q=port%3A3306