Did you hear about the recent thing where tens of thousands of MongoDB instances were broken into and the data was encrypted and they asked for a ransom to decrypt the data? I don't know what's worse, using default credentials for a public facing database or not backing it up so you actually would need to pay ransom 🙂