The mass changing of the addresses, combined with no lockdown on the accounts point towards a direct database injection (also known as SQL Injection). Chris mentioned that he will be doing some migrating on the website, that of course includes databases migrating. I highly doubt this was malicious database injection and most likely the actuall reason is an error during the migration or some wrong command executed.