Unfortunately it's rarely that simple. If you look at the currently exposed MongoDB instances you'll see that most of them are in the cloud without any obvious attribution. You could email the cloud providers and see if they will reach out to the end-user but chances are they already know about it. Here's an article I wrote on that subject, although it was related to industrial control systems:

https://blog.shodan.io/taking-things-offline-is-hard/

“Fix auth”. Add item to todo list and just forget because there are other more pressing tasks to do.

It's easy to say "you could have just emailed them" when you are not the one doing this for years without things getting better. Often admins flat out ignore you. Even if not they usually do nothing. And if they do something it takes ages.

I don't doubt that for a moment; I have also reported issues of various kinds -- not this specific one -- that have gone unresolved for ages.

That still doesn't justify vandalism.

In the article one provider was notified that their database was without a password an publicly accessible.

They secured it, and somehow managed to make it publicly accessible again without password, this time it got hit by this attack.

Honestly this is like if a company decides to keep their paper records with my information on a public side walk, and somebody saw that and decided to bring them to the landfill.

Is it legal or fair? In a perfect world no, but at this point the company is not blameless.