Database names.nsf on public servers usually contains all details about users, groups, server configurations. With R8 this content is now seen on the web by default. There are plenty of possibilities how to secure the data. The easiest one though is to check Don’t allow URL open on application properties. 

As always there is a catch. As ?Login web command still works on names.nsf, ?Logout doesn’t. However ?Logout works on any other database that allows URL open.