(no title)

It looks like certain accounts were compromised, how? I don't know, It could be anything from the users having weak passwords, or even MITM attack/sniffing (Unsecured Wireless anyone? - I bet most of these authors have been to a WordCamp or 2) - But like I said, I don't know how, that's pure speculation.

WordPress.org (and the WordPress Software itself) has not sent passwords in emails for awhile now, except in cases where it's absolutely required.

When a user forgets their password, a email with a single-use url is sent, that link allows them to change their password. Yes, If their email is compromised, their account can be compromised.

When a user changes their password, It is not sent via email to the account owner or site administrator.

When a New install is created, If the user enters a password during the installation process, their password will not be sent via email. If they leave it at the default randomly generated password, it WILL be emailed to them, and they'll be asked to change it upon next login, They're expected to change it when they login.

If a new user is added to a WordPress installation, and the admin sets a password, they can choose to send an email to the user with their details.

It's all weighing usability vs. security against each other, the cases where WordPress Core sends emails right now that includes a password, is very minimal (and only in cases where it's actually required).

Some people choose to disable the password reset process entirely on their installations, If you have server access, or a decent ammount of knowledge, often it's an undeeded component.