Reset Password – Hacker Hi-jacked?

Hi all,

Have searched for a similar thread but haven’t managed to find one, apologies if this already covered.

I have caught our WordPress install sending out password resets to numerous email addresses we are not affiliated with (we only use one anyway).

To begin with I could not login to the backend, which I have read up is a common issue, with the usual username and password. I then chose the password reset as this normally turns up lightening fast in my inbox. The email never came.

The next day, I noticed in the Spam folder for the domain email a MailerDaemon from the Server/Wordpress stating “I’m afraid I wasn’t able to deliver your message to the following addresses.
This is a permanent error; I’ve given up. Sorry it didn’t work out.” and list of all these undesirable email addresses.

I know the reset wasn’t delivered to those addresses stated, which have clearly since been deleted by their hosts, but can’t be sure it hasn’t been sent any where else.

I realise we’re on 2.8.4 and plan to update immediately but want to know what’s causing this. I have checked .htaccess, DNS server settings, all emails listed within WordPress, checked myPHPadmin tables as well as contacting our hosts who suggested posting here.

I will update forthwith but want to be assured this bug won’t be assimilated into the lastest WordPress build.

If anyone could shed some light on the occurance I would be very grateful.

Kind regards,

Jasper