Security researcher Harry Denley just tweeted the following few days ago:
Shodan is a search engine for Internet connected devices that is well known among security professional and penetration testers. Security swiss-army knife Linux distributions like Kali Linux come with a command-line script for accessing Shodan through the provided libraries. The above uses Shodan to search for and locate Ethereum nodes running Geth (the Ethereum Go client) and then does an eth_accounts JSON RPC (Remote Procedure Call) to the node which returns a list of accounts associated with that node and its IP address.
Note that this has nothing to do with the Ethereum protocol per se but with node operators and how they've parametrized their nodes when invoking the RPC node. Good security practice advises that external RPC calls shouldn't be enabled on nodes which hold funds/keys. Further in the Twitter thread above somebody suggests that the documentation should be updated to make it explicit not to invoke "personal" on the --rpcapi argument when setting up one's node.
Anyway. Something important to keep in mind when running a node. Never just fire up anything using default configurations, always check how exactly is anything set to be running since default configurations and overlooked details is precisely the low hanging fruits anybody goes on to first look for to exploit. And there are instances where it is desirable or even necessary (e.g., when developing a dApp) for one to be running his own Ethereum node (as for example when running automated trading/market maker bots for decentralized exchanges or when accessing the Augur prediction market protocol, etc.),