Solved: Jetpack Generating Mysterious Admin Email Change Messages

We’ve received quite a few questions about this in the past 24 hours, either via forums, email or twitter. Roughly 14 hours ago we started seeing reports that WordPress site owners running Jetpack were receiving emails that stated the following:


You recently requested to have the administration email address on your site changed.

If this is correct, please click on the following link to change it: [link]

You can safely ignore and delete this email if you do not want to take this action.

This email has been sent to [email]


This has been reported and discussed on Reddit here and here.

It was also reported on the WordPress forums where Brandon Kraft, who works at Automattic as customer happiness team lead, posted the following update just over an hour ago:


Howdy y’all,

This is something we missed. We started noting the admin email address which ended up triggering WordPress.com’s notification system unintentionally, which sent the e-mails you saw. I disabled the notifications about 12 hours ago (02:32 UTC) so you will not see any additional e-mails.

There is no security threat or breach and no action is required for those messages. I’m sorry for the hassle and worry. We take testing releases very seriously and it was a bit of a perfect storm that led to the particular condition that triggered the notification to be missed pre-release.


It sounds like the window during which this occurred was just a few hours, so the impact may not include the full Jetpack ecosystem, but just those sites that updated during that time.

As a precaution the Wordfence team looked at Jetpack’s source along with other possible vectors before we received Brandon’s update and didn’t find anything. So it looks like this was just a case of a bug that slipped through QA and made it into production.

Thanks Brandon and the Jetpack team for the update. We will now return to our regularly scheduled programming.

Did you enjoy this post? Share it!

Comments

11 Comments
  • Thanks team for this update. I equally got this alert too within the said period. Since I never requested for email change, I had to do a sign-out of all other device from the user. Now I can relax my nerves.

    Great job! Thanks all.

  • Thank you for being so quick with this. I appreciate your efforts on our behalf. Blessings.

  • Prima gedaan, mannen en vrouwen.
    Het probleem is op een voortreffelijke manier opgelost

    WFSupport Translation :
    Well done, men and women.
    The problem has been solved in an excellent way

  • Thanks for the article. I still feel a level of concern because, on a few of my sites, WordFence has flagged a whole bunch of Jetpack files as "modified plugin file" (ie, files different to WP repository).

    What's up with that?

  • Thanks! I also got this mail and wondered about it, but now I am calmed down.

  • I did not receive such email. But I am happy to see you all addressed it quickly. Much blessings and appreciation to you guys on your relentless pursuit to our online peace of mind. Thanks a billion.

  • Thank you. I got the update yesterday on one of my installs. I'm glad to see there is nothing to worry about.

  • Thank you for this update. I so appreciate how you continue to look out for us all.

  • I received this at 4:07 PM. Is this still within the window of time while the fix makes it's way through the "ecosystem" or someone trying to hack?

    This email was sent from your website "[removed by moderator]" by the Wordfence plugin at Wednesday 2nd of May 2018 at 04:07:13 PM
    The Wordfence administrative URL for this site is: [removed by moderator]
    Someone tried to recover the password for user with email address: [removed by moderator]
    User IP: [removed by moderator]
    User hostname: [removed by moderator]
    User location: [removed by moderator], United States

  • Thanks so much for the information. I posted on the Wordpress forum as well as trying to chat with Wordpress and didn’t receive any information until a few hours ago. Glad it’s nothing to worry about.

  • @Gavin,

    It can be a plugin update, newly updated plugins files can be flagged as recently modified files.