New Admin Email Address message from WordPress – a bug, not a breach

I woke up today to the following message concerning three of my blogs:

Howdy <wp.com username>,

You recently requested to have the administration email address on
your site changed.

If this is correct, please click on the following link to change it:
<blog URL>/wp-admin/adminemail/<hash>/

You can safely ignore and delete this email if you do not want to
take this action.

This email has been sent to <my email>

Regards,
All at <blog name>
<blog URL>

I was fairly sure I had not requested any changes to my admin email in the middle of the night. Could someone have hacked three of my blogs, hosted with three different providers, including one important blog (obviously not this one) protected by several additional security measures?

Furthermore, why was the pending change not shown in the user profile? Unconfirmed email changes should look like this:
WordPress pending email change

Finally, as far as I understand, these emails would be sent to the new admin email address, not the old one, making a hack even more unlikely.

As it turns out, it was a bug in Jetpack. WordFence has more details.

WordPress sharing button opens new window with same post

The problem:

Clicking on the JetPack sharing buttons in WordPress opens a new window¬†with the parameter ?share=... added to the URL. However, instead of being redirected to twitter or Facebook or wherever you wanted to go, you’re redirected to the post itself again.

The solution:

In my case, this was caused by the “Redirect ugly URL’s” setting¬†in the popular Yoast WordPress SEO plugin (marked as “not recommended”, obviously for good reasons):
Clean permalinks - not recommended

After unchecking this option, sharing worked as expected.

If you don’t want to disable this feature, adding “share” to the list of variables not to clean should also fix the issue:
Variables not to clean