I upgraded all of my sites to 2.8.4 awhile back, and this was supposed to solve the password vulnerability problem. Here's the thing...
This morning I awoke to find a notification from one of my sites that someone had requested a password reset. That was immediately followed by an e-mail saying that the password had been reset, though it didn't actually include a new password.
Curious, I logged in (I typed the url directly, didn't follow the link in the e-mail) and found that my original password still works. Once I was logged in, however, I was greeted by a message saying that I was using an auto-generated password, and asking if I wanted to change it.
Has anyone seen anything like this?
A few notes:
- The e-mail address and domain have nothing in common, so this doesn't appear to be a case of social engineering
- The link included in the original e-mail is legit (I viewed the source)
- I ended up resetting the password myself and all of the e-mails looked identical to what I originally received