Solved: Jetpack Generating Mysterious Admin Email Change Messages
This entry was posted in WordPress Security on May 2, 2018 by Mark Maunder 11 Replies
We’ve received quite a few questions about this in the past 24 hours, either via forums, email or twitter. Roughly 14 hours ago we started seeing reports that WordPress site owners running Jetpack were receiving emails that stated the following:
You recently requested to have the administration email address on your site changed.
If this is correct, please click on the following link to change it: [link]
You can safely ignore and delete this email if you do not want to take this action.
This email has been sent to [email]
This has been reported and discussed on Reddit here and here.
It was also reported on the WordPress forums where Brandon Kraft, who works at Automattic as customer happiness team lead, posted the following update just over an hour ago:
This is something we missed. We started noting the admin email address which ended up triggering WordPress.com’s notification system unintentionally, which sent the e-mails you saw. I disabled the notifications about 12 hours ago (02:32 UTC) so you will not see any additional e-mails.
There is no security threat or breach and no action is required for those messages. I’m sorry for the hassle and worry. We take testing releases very seriously and it was a bit of a perfect storm that led to the particular condition that triggered the notification to be missed pre-release.
It sounds like the window during which this occurred was just a few hours, so the impact may not include the full Jetpack ecosystem, but just those sites that updated during that time.
As a precaution the Wordfence team looked at Jetpack’s source along with other possible vectors before we received Brandon’s update and didn’t find anything. So it looks like this was just a case of a bug that slipped through QA and made it into production.
Thanks Brandon and the Jetpack team for the update. We will now return to our regularly scheduled programming.