But surely, since ALL of us ALWAYS screen-lock our computers when we are not physically present, and the error message required someone else to type it into the SSMS Messages screen, the correct answer would have to be "That could not possibly happen! :w00t:"
We do do that, don't we?
Well, yes, but
Do we always remember to have a secure BIOS password? Or even have a BIOS password at all?
Do we remember to leave the computer setup so that it will only boot from the main hard drive, not from a pen-drive, DVD, CD, or any other replaceable media?
If any of those 3 gets the answer "no" then this stunt is rather easy.
Besides, locking the computer when you leave is not very effective if half (or more) of your colleagues know your password, or it's one of the top 20 preferred passwords for your gender, or it's scribbled on a post-it note stuck to the underside of your mouse-mat because your employer's lunatic security policy requires passwords to have at least 12 characters each and at most 16 and pass a "strength" test and forces you to change them every 15 days with your last 293 passwords remembered by the system and not reusable. Those sorts of insecurities with passwords used to be extremely common, but I think it's got slightly better and they now are only rather common (although that might just be undue optimism on the part of people who tell me what it's like in their organisations now).