It's like you've never heard of SQL injection, can't imagine an indirect attack could be possible.
We weren't talking about that, we were talking about having databases accessible to the public. I'm fully asware there are other attack vectors, but having your DB on a public port/machine is up there with using "p@ssword" as your password.
When we got rid of DBAs (developers know how to use databases yeah? why do we need people who can only do one thing really well?) we lost a lot of knowledge and culture - including the basic tenet that you simply do not expose business-critical database systems to the outside world.
To be fair, it's not a hard thing to check for. Just run a portscan. If you can see the database from a different box, you fucked up and need to fix it.
Just got doxed.
But it does move! -- Galileo Galilei