-x- turns out mainly internal security issue
that sounds a bit too theoretical…
a few questions for you: where did you get your “official” snap from?
how did you install it exactly?
what exactly does this email tell you? who exactly was sending it?
as soon as https comes in play you’d need certificates… even a self-signed one or - better - a official one (say by letsencrypt)
If you can trigger a password reset on your system and you get the password reset email from this other system, I think it’s safe to assume there must be some connection and not a hack.
For the record, this would not be considered normal behavior for the snap or any other installation.
Do you know this domain it’s coming from? Check the email header and see if you can verify whether your system sent it. Do you have your NC configured to send email through another system that could be overwriting the sender domain?