While testing my app with a couple of friends I saw a stranger with email test@test.com had created an account in the database. I deleted it. How could this happen when I have a password on the test page and the link and password is not shared to others than my friends? What can I do to avoid this to happen?
Are you using the default username/password combination by any chance?
For the test link? No, it is a new username and password for the test link.