TLDR

I'm leaning towards a 400 because - depending on the information you're trying to provide/change, you don't necessarily want the client to know that the resource doesn't exist, it's just giving the client a bit too much information. 404 implies that you don't have that resource and if they try a few more times, they might find a resource that does exist.

400

I think this is a nice little article about REST states, it says (about 400s):

The request could not be understood by the server due to malformed syntax. The client SHOULD NOT repeat the request without modifications.

404

Wikipedia(Not that i'm using is a definitive source, but just sayin') says:

The requested resource could not be found but may be available again in the future. Subsequent requests by the client are permissible.

My 2 cents*

I guess 404 makes a bit more sense in the conventional sense, because it is not found, however, sometimes you don't want to the client to know that your resource doesn't exist, so you try not to give it too much information, If I'm trying to get a resource and I get a 404 It tells me that If I keep trying I'll get a resource that does exist, but this one doesn't.

For most data you can safely use a 404, but if you find yourself in a place where you're trying to be more conservative about your data, then maybe a 400 will do

PUT

Usually with PUT requests you're looking to mutate the resource, the main errors that might occur are 'unauthorised change', 'resource not found' or 'invalid value'. Obviously there might be others, but let's assume that this is the case for now.

If you're trying to retrieve an attribute it's 'not found', but if you're trying to change something that doesn't exists I think a 'bad request' or a 400 would make more sense.

*: with RESTful APIs everyone has his own interpretation, I gave you mine :)

Good luck ;)