You got a Pipeline security code email you didn't request. That's a sign someone tried to sign in with your credentials — but the way 2FA works, they didn't make it.
Reason
Pipeline emails the 2FA code to your login email after a successful password match. Which means someone entered the right password, but couldn't get past the code step because the email lands in your inbox, not theirs. The system is doing exactly what it's built to do.
Solution
Treat the unexpected code as a signal that the password isn't a secret anymore. Two steps tighten it back up:
- Change your Pipeline password right away. Click your name in the upper-right, then [My Info], and update your password.
- Change your external email password too, especially if you've used the same one on other sites.
For a closer look at what was attempted, your master admin can request a login report from support — it includes timestamp, IP address, and the email used for each sign-in. If the same thing keeps happening, see Re-secure a compromised account for the full lockdown sequence.