Not entirely sure, but my best guess is that the previous DevOps engineer was running a PostgreSQL 14 instance exposed to the internet with the password set to postgres. There's even an old CVE describing a remote code execution path for that kind of setup. Unfortunately, the PostgreSQL logs had been deleted, so I was never able to confirm it.