I have an installation that I discovered was live with an apache2 config problem which meant the .htaccess files were doing nothing. Hence the config.xml was exposed to web browsers on port 80. Meaning anyone could click on it and read the Encryption Key and the database login details.
Changing the database login is obvious. But what do I do about the encryption key? Is there a tool to change it for the magento installation?