Something dodgy has definitely been happening. In another example, after submitting photo/evidence of weight for a Zwift-organised race (Tour de Bouddica), a couple of riders have noticed changes made to their weight settings on ZwiftPower.
This seems like unauthorised access to personal data to me… by Zwift. And, given their passwords have been accessed, this could compromise part or all of their online data (depending on whether they use the same or similar password elsewhere).
If your email, which you’ve only used for Zwift, has been leaked out in any way, there’s a data breach that needs investigating and explaining.