http://www.securityfocus.com/infocus/1726
Yeah, i'm not even sure how you set up your mysql user accounts, but it's pretty obvious you didn't 1) disable the ability of users to remotely access your database, 2) using a generic easy to guess password.
Navicat is just a MySQL query tool, your problem lies within how you configured MySQL, not in any program. May want to read up security practices in MySQL to understand your folly, and review all your configurations. Then top it off with reading how to disable other means of connection except for what you use (remote desktop, etc)
But did you seriously think you WOULDN'T GET remotely attacked when you simply connect to navicat and you have full access to your SQL database? :o
/scared
As Rogean said, user error.
