If you're using MongoDB Atlas, you can allow connections only from a specific subnet. Also, you should of course set a password or use x.509 certs.

If you're hosting your own DB on a cloud provider, connect using a VPC / Heroku's Private Space Peering to keep your database off of the internet.

Simply set a secure password on any DB instances exposed to the internet.

Ah, I see. So no need to find a static IP to use :) Thank you.

I mean, if the database is not directly available on the internet, that would be a great help as well.

Agreed, password is the bare minimum.

Are the databases being meowed lacking any passwords?

At least in the case of MongoDB, yes. Listening on all interfaces and not having a password set.

What does a static IP have to do with this?