My mongodb database has been abandoned by an attacker

I've already configured mongod with authentication, but I forget to expose port 27017 to the public, but I do not understand why an attacker can delete my database?

Server information:
MongoDB Server 4.0.3 on Ubuntu 16.04.5

2019-03-26T16: 21: 59.462 + 0000 I NETWORK  [listener] connection accepted from 188.64.174.90:60432 # 351 (7 connections now open)
2019-03-26T16: 21: 59.463 + 0000 I NETWORK  [conn351] received client metadata from 188.64.174.90:60432 conn351: {driver: {name: "mongo-csharp-driver", version: "2.8.0.0"}, os: {type: "Windows", name: "Microsoft Windows 10.0 .17763 ", architecture:" x86_32 ", version:" 10.0.17763 "} Platform:" .NET Framework 4.7.3324.0 "}
2019-03-26T16: 22: 01.172 + 0000 I NETWORK  [listener] connection accepted from 188.64.174.90:60474 # 352 (8 connections now open)
2019-03-26T16: 22: 01.173 + 0000 I NETWORK  [conn352] received client metadata from 188.64.174.90:60474 conn352: {driver: {name: "mongo-csharp-driver", version: "2.8.0.0"}, os: {type: "Windows", name: "Microsoft Windows 10.0.17763 ", architecture:" x86_32 ", version:" 10.0.17763 "} Platform:" .NET Framework 4.7.3324.0 "}
2019-03-26T16: 22: 02.936 + 0000 I COMMAND  [conn352] CMD: drop admin.system.users
2019-03-26T16: 22: 03.515 + 0000 I COMMAND  [conn352] CMD: drop admin.system.version
2019-03-26T16: 22: 03.701 + 0000 I ACCESS   [conn120] Delete app_staging @ app_staging removed from the user information session cache.
2019-03-26T16: 22: 04.099 + 0000 I COMMAND  [conn352] dropDatabase config - from
2019-03-26T16: 22: 04.099 + 0000 I COMMAND  [conn352] dropDatabase config - removal of 0 collections
2019-03-26T16: 22: 04.109 + 0000 I COMMAND  [conn352] dropDatabase config - complete