Your periodic reminder that under US law, you do not have to somehow get past a login page to be exceeding authorized access to a computer system. A prosecutor needs only to show that a reasonable person, looking at the same computer system, would have known they had no authorized access to it.
That makes things like this a pretty bad idea. At least, in the US.
By any chance, do you know what's the legal status of, say, shodan.io in US?
If the screenshots weren't reviewed - or, worse, hand-picked - by a human, but fetched in completely automated and unsupervised manner, then it's essentially the same as any other crawler bot (like Shodan or even Google/Bing) does. Connecting to random public services running on globally-routeable addresses and politely asking them what they do (then storing the result) can be argued to be perfectly legal.
The technical details don't much matter. What matters is what the users do with it, and whether their uses can be shown, by a prosecutor, to represent the kind of access that a reasonable person looking at the same computer system would know was not authorized.
To be fair to the post, and anyone viewing the page, all you're seeing is a screenshot of what I am assuming a bot or crawler made when it successfully connected to various IPs over port 5900.
at this moment we got 91 reports from random companies claiming we breached their networks, i guess they gonna force us to take it down since they are so fucking stupid to add a 8 digits password to their vnc server! lolz
That makes things like this a pretty bad idea. At least, in the US.