- May 2, 2018
- Posted by: Byzmarsol
- Category: Innovation, iT news, Security
Since recently, there were quite a few questions about WordPress Plugin: Jetpack Plugin Generating Mysterious Admin Email Change Messages either via forums, email or twitter. There were also reports that WordPress site owners running Jetpack were receiving emails that stated the following:
You recently requested to have the administration email address on your site changed.
If this is correct, please click on the following link to change it: [link]
You can safely ignore and delete this email if you do not want to take this action.
This email has been sent to [email]
It was also reported on the WordPress forums where Brandon Kraft, who works at Automattic as customer happiness team lead, posted the following update just over an hour ago:
This is something we missed. We started noting the admin email address which ended up triggering WordPress.com’s notification system unintentionally, which sent the e-mails you saw. I disabled the notifications about 12 hours ago (02:32 UTC) so you will not see any additional e-mails.
There is no security threat or breach and no action is required for those messages. I’m sorry for the hassle and worry. We take testing releases very seriously and it was a bit of a perfect storm that led to the particular condition that triggered the notification to be missed pre-release.
It sounds like the window during which this occurred were just a few hours, so the impact may not include the full Jetpack ecosystem, but just those sites that updated during that time.
As a precaution, the Wordfence team looked at Jetpack’s source along with other possible vectors before they received Brandon’s update and didn’t find anything. So it looked like it was just a case of a bug that slipped through QA and made it into production.
Thanks to Brandon and the Jetpack team for the update.
READ MORE ARTICLES