In MongoDB Enterprise, when a Mongo server accepts authentication attempts via the PLAIN mechanism on the $external database and is configured to use the Cyrus SASL GSSAPI mechanism for LDAP binding, passwords are not validated. You can find more details on the MongoDB site: https://jira.mongodb.org/browse/SERVER-35610.
For Sitecore XP 8.2 Update-6 and Update-7, upgrade your MongoDB server to 3.4.16 version. For Sitecore XP 9.0 Update-2, upgrade your MongoDB server to 3.6.6 version.