Hacked?

Would like opinions on this situation :

I received an email from a student this morning (I teach web design and I have them working on my WordPress Multisite install) that he got this email :

Your new Multisite site has been successfully set up at:
http://www.xxxxxxxx.com/multisite/xxxxxxxx/

You can log in to the administrator account with the following information:
Username: xxxxxxxx
Password: N/A
Log in here: http:/xxxxxxxx/multisite/xxxxxxxxx/wp-login.php

We hope you enjoy your new site. Thanks!

–The Team @ Multisite

I removed some informations with the x but the rest is the same : Password showed N/A and I didn’t create any users.

Yesterday the site worked and I didn’t do much on it. My students can add CSS but not plugins or themes.

So I tried to login this morning and I get a pop-up requesting Username and Password instead of the normal login screen. Pop-up says :

The server xxxxxx:80 requires a username and password. The server says : Human Check – U:wordpress P:xxxxxxxxx

I removed the password information but none of these informations correspond to my login and password. I tried checking my cPanel and I get the same pop-up. I didn’t enter any of my info but some of my students probably did. Smells fishy?

What’s your take on this?