Hi, we've encountered a worrying situation on a significant website - all users suddenly locked out. Password recover and change allowed them to get back in. On inspecting settings and database, the site had been switched from "Hashed in db/Cannot be decrypted"" to "Clear Text in db", and all passwords had changed to short random strings, and password salts had gone.
We were able to restore everything easily enough, but the worry is how did this happen? Only one person accessed the site settings over the affected period (we know this from IIS logs), and he is an experienced developer who knows what he's doing - he was simple setting the site to Closed, then unclosing it a few minutes later after a code update. He swears on everything that he did not make this change, and cannot see how he could have done it accidentally either.
But we can see no other possibility than somehow he made this change accidentally while using the site settings page.
So I'm wondering a) is there any other possibility for how this happened, and b) could this setting be better protected to prevent this change? For example a control that needs to be "unlocked" to make a change, or at least showing a warning and confirm/cancel dialogue? Or even remove this from the UI completely and have it as only settable in the database. I don't think there can ever be a scenario where this would be a desirable change, and surely all sites should be in "Hashed in db/Cannot be decrypted" mode?