Is it possible to hack google cloud virtual machine instance through a database?

Question

I deployed an API along with a database using Docker Compose on this instance. Someone hacked it and install miner. I had left the default username and password "postgres" (my bad). So could the instance have been compromised through the db?