The mass changing of the addresses, combined with no lockdown on the accounts point towards a direct database injection (also known as SQL Injection). Chris mentioned that he will be doing some migrating on the website, that of course includes databases migrating. I highly doubt this was malicious database injection and most likely the actuall reason is an error during the migration or some wrong command executed.
Yes the scale of the 'attack' suggests 3 options
1) Hacker using data injection as opper says.
2) Hacker with direct access to the database (data injection does not require direct access). This occurs when one or more of the software stack has been successfully attacked and the hacker can gain full control. Probably inserted control panel code into the admin section of the web site so he/she can do what ever he/she likes when he/she likes until it is removed. Given the software stack has probably not been upgraded for 2 years this is quite a likely scenario.
3) defaulting of the addresses by admin (deliberate or not)
For 1 and 2 Payment has to stop until the hack is removed. If Chris is working from a snap shot of the accounts then he can still payout this week but next week he has to fix the hack.
The hack is quite likely since the hacker has not been paid for his work yet. Lets hope its option 3, though, and its accidental.
not sure if the hacker scenario is plausible.
I have an account I created and never used, it has no share, never received any payment (so totally unknown from the outside), but still the btc address was changed (I had put a btc address) the ltc address which I left blank was left blank after the changed.
(As I didn't access this account last week, the account went into lock down when I logged in. )
So, unless the hacker have accessed to the full database, they wouldn't have any way of knowing and altering this account.
(unless I am mistaken on how they would proceed)
That's why I think it is Chris who reset somehow the accounts.
Thanks for sharing, that is good to know.