Once, when I was young and inexperienced, I left a server exposed to the Internet by accident (I accidentally exposed a user with username postgres, password postgres). In hours the machine had been hacked to run a botnet. Was I stupid? Yes. But I absolutely wasn't a high-profile enough person to "be a target" - clearly someone was just scanning IP addresses.