Think I've posted this before but my employer paid Elastic for the official training - and even that course included everything on how to set up, run and tune ES but applying any security was only covered in the advanced course that you had to pay another $x thousand dollars to attend.

So even doing official Elastic training still leaves you with a nice footgun.

Yeah. "Not leaking data" is basically a pay-for way for Elastic to commercialise the tool. A pretty shitty way, I would say.

By default, Elasticsearch is unsecured. If you manage your own ES cluster, you have to go through a few steps to secure it manually. Lots of people either don't know/don't care about this though, so they regularly expose their data to the whole internet.

It has no authentication by default, and it listens on all interfaces instead of just localhost by default.

I used it for a while at home for a project, and setting up auth was quite a process, very difficult compared to most other databases.