We have identified and fixed the problem. CakePHP does not set the id of the record correctly when saving data (http://book.cakephp.org/1.2/en/The-Manual/Developing-with-CakePHP/Models.html):
... // Update: id is set to a numerical value
$this->Recipe->id = 2;
$this->Recipe->save($this->request->data);
...
this does not work properly as Recipe->id is overwritten by data;
The intruder was able to overwrite the passwords of other users (and no other fields in any of the tables).
The intruder used this page for the attack: https://mullvad.net/en/about.php ... we have notified the owners.

Tomorrow we will clean the damage and revert the state of the shares of the "proph" asset. Other assets were not affected.