I’m sorry to hear your deployment was not properly secured. Can you provide some more information on the specific version of MongoDB server you installed and a link to the tutorial you followed?
MongoDB 3.6+ only binds to localhost by default and there are multiple reminders about securing your deployment including:
[initandlisten] ** WARNING: Access control is not enabled for the database.
[initandlisten] ** Read and write access to data and configuration is unrestricted.
Enabling remote access to a deployment requires additional manual steps such as binding to non-localhost IP addresses. Defaults have been improved since earlier versions of the MongoDB server, but if you are installing on-premises software there is always some responsibility for fully securing your environment including exposure to remote network access.
MongoDB is a distributed database, so security configuration needs to be coordinated with all of the members of a cluster. There are multiple security mechanisms for administrators to choose from, and they have different configurations. This is more straightforward to configure using a managed service (for example MongoDB Atlas) where the management software has control over deploying and configuring the cluster and can enforce best practices like access control, network encryption, and firewall restrictions.
It is also important to note that security is only one aspect of production deployments. Backup, monitoring, and environment tuning should also be considered. The Operations Checklist and Production Notes in the MongoDB documentation include some considerations to avoid issues with your production MongoDB deployment.
If you have suggestions on how we can further improve the default server configuration to avoid missteps, any ideas would be appreciated. We have a public Feedback site for feature suggestions and product ideas, and you can also share thoughts in forum discussion.