Unrequested Password reset email!?

I just received an email apparently genuine, saying my password has been reset and to use the new login details in the email to log in to my opencart account.

I did not request a reset.

The log in details don't work either!

Suggestions?

The email appears to be from:
support@opencart.zendesk.com

The "access your account" link in the email go to:

http://outbound.opencart.com/track/clic ... p=eyJzIjoi~ etc etc (lots of random charachters)

Is your email that you use to access OpenCart publically available anywhere (such as a contact place in your store)? If so, they prob ran a scan for OC installs, harvested emails, and mass sent reset information. Perhaps a number of folks had weak passwords for email and the exploiters were waiting logged in for the reset link.

Regardless to be safe I would change your email account password if it wasnt you. Keep it unique and not the same as any other pass.

Also to confirm it came from opencart, you can "view original" for the email which will expose the headers, IPs, routing, etc.

I want to comment on this as I had exactly the same issue

A password reset request email (which was genuine looking at the headers of the email) not requested by me

The admin user was not called and had a 10 character strong password

Could not login and to to reset it in SQL admin (the malicious IP address originated from Indonesia)

Other people have reported this as well and I think it's serious