Yep, if you put something on the open internet it needs authentication or it is public to everyone. This isn't a vulnerability unique to MCP - plenty of databases, REST APIs, S3 buckets, and other sorts of resources have been left open before. MCP is just the latest shiny thing people can leave unsecured.