I searched SHODAN for "ActiveMQ" and found this:
The admin page gives me control over their operations without any password or security barrier at all. I can view transactions, and apparently delete them and create new ones!
This looks like real live financial data:
I found an abbreviation for the company, and located an insurance company that uses that abbreviation.
I phoned their "Fraud" division, and was transferred up the ladder, and within two hours a real infosec guy called me back.
I emailed him these images.
However, the next day the portal was still open, so I explored it some more and found the domain name of the software developer that made the site, apparently under contract to the insurance company.
I sent this email to the software developer, with a Cc: to the insurance company:
I got this response:
And I see that the problem was indeed fixed; the page was no longer accessible when I tried it at 6:35 PM on April 29, 2013.
Posted 5-1-13, 6:08 PM by Sam Bowne.