The cloud instances were left open to the public Internet with no authentication, allowing attackers to wipe the data.