If you are the admin of a Drupal 6 or Drupal 7 website you have likely received a password reset email that you did not request. This is caused by a bot (or several bots) hitting the password reset form and triggering the emails.
When a password reset is requested in Drupal a backdoor is created by design into Drupal. That backdoor is the password reset url. The url is publicly available. Thus, if you (or the hackers) can guess the password reset URL you’d gain full control of the site. The difficulty of guessing the url is very high. It is much harder than brute force attack on the actual login url. However, the reset urls are not controlled by flood protection by default. This allows the attacker to try an endless number or urls without being blocked. This is true for at least a 24 hour period until the url expires.
There is another possibility that there is an unknown leak of the reset url. Given the high number of reset requests this is entirely possible.
This issue is being discussed on the Drupal community board here https://www.drupal.org/project/drupal/issues/2939720
President & Founder, Tru Family Dental
Marketing, Dependable Cleaners
President, Frame Destination
President & Founder, Family Travel Association