I woke up today to the following message concerning three of my blogs:
Howdy <wp.com username>,
You recently requested to have the administration email address on
your site changed.If this is correct, please click on the following link to change it:
<blog URL>/wp-admin/adminemail/<hash>/You can safely ignore and delete this email if you do not want to
take this action.This email has been sent to <my email>
Regards,
All at <blog name>
<blog URL>
I was fairly sure I had not requested any changes to my admin email in the middle of the night. Could someone have hacked three of my blogs, hosted with three different providers, including one important blog (obviously not this one) protected by several additional security measures?
Furthermore, why was the pending change not shown in the user profile? Unconfirmed email changes should look like this:
Finally, as far as I understand, these emails would be sent to the new admin email address, not the old one, making a hack even more unlikely.
As it turns out, it was a bug in Jetpack. WordFence has more details.