There's a major, major hosting company whose server IPMIs all had an internet IP and used a default password for an unreasonably long time. I'm honestly not sure how this company is still around.
Can you please name and shame, or at least link to a news article about this?
I'm going to be a little blunt, but the pattern of "there's a well-known company that's done something bad, you probably use their products, but I can't tell you what company because [I don't want to be deposed in a libel lawsuit / I want to feel intellectually superior]" is really long in the tooth, and doesn't add value to the discussion other than to pique everyone's paranoia.
Eh, screw it. It was Rackspace. I worked there, and was told this by a senior member of the infrastructure staff in a one on one. It was was fixed before I got there. They still have similarly bad security flubs.
Last time I looked OVH allowed IPMI access to their servers from the internet. You click a button and it gives you a JNLP which gets you remote console, keyboard/mouse and media.
The OVH IPMI access is pretty cool - needs to be initiated from the web console, no longer requires JNLP, just straight browser access and the web console supports three different two factor authentication methods.
My only regret is that it took us so long to discover and switch to OVH - there are a few wrinkles but it’s such fantastic value compared with colo, let alone AWS/GCP/azure
