Like every other person I start my day with a cup of coffee while going online to read the news on an online newspaper. That day on the top of the page there was a banner advertising a seminar hosted by a specific University.

However next to the banner there was an error shown, including an IP address. The error also included the name of a database. It was MySQL.

At that time (around 2005) I was developing a PHP application that was relying to a MySQL database to store tables of information. There was a nice free application that would let you manage the database called MySQL Workbench.

Without further thinking I opened MySQL Workbench typed the IP shown on the banner.

I was asked for a user name and a password. I typed the default user name which was root. I left the password blank.

Simple as that. I was able to browse all tables of that database. Information regarding tutors, courses, internal documents etc. There was even one table that had unencrypted passwords of third party email accounts.

I did not know what to do!

I asked myself. Am I hacker now? Is it possible for an administrator to be that stupid?

And the answer is yes of course!

I closed the database connection. I did not change any data or kept any copy of the information.

Nowadays MySQL has safeguards that would not let that happen, even if an administrator is careless.

It’s the human factor that leaves the door open to the hackers.

As for the hackers their motivation can be political, recognition among friends or just money-money-money.

Bigger company names are targest that could generate more ransom.

You can never be 100% protected online. But you can make a hackers life hard.

Eventually they will leave you for an easier target. Be prepared in advance!