It looks like User:Sundar was recently compromised via js.
Logs have something like:
- At 2018-06-15T04:27:50 they get reauth error at botpassword
- At 2018-06-15T04:27:51 they changed email at tawiki via Special:ChangeEmail
So it would look like attacker somehow bypassed the reauth stage to change the email. Need to investigate further