When WPML emailed new passwords to customers in plaintext, some customers thought it was due to a security breach. Amit Kvint, compatibility team leader for WPML, confirmed the emails are not a result of a security breach.
In a post on the official WPML blog, Kvint says the emails were a preventive measure to insure accounts remain secure, “The main purpose and underlying principle for this action was making sure everyone has a good new strong password, we consider this an important step in online security,” Kvint said.
Kvint acknowledges the improvements in WordPress 4.3 in how passwords are handled and admits that sending passwords in plaintext was not a good idea, “The best practice would be, once the password is sent, to login and reset the password to a new strong one. We will definitely revise the way this is done in the future,” Kvint said.
The blog post does not go into detail in how they determined passwords to be weak. To the best of my knowledge, WPML does not have a policy in place to enforce strong passwords. While no accounts were compromised, if some of the contacted customers choose a weak password, wouldn’t it defeat the purpose of resetting passwords in the first place?