Have you updated your WordPress install recently? You should. Yesterday WordPress released an update that patched a vulnerability that allowed attackers to use specially designed URLs to reset the first account without a key in your database. This key is usually the WordPress administrator account. The password would then be reset and a new password would be emailed to the account’s email address. Read more here: WordPress: WordPress 2.8.4: Security Release
