WordPress 2.8.4 is an important update given that it fixes a security bug. The bug can be exploited by hackers this way:
a specially crafted URL could be requested that would allow an attacker to bypass a security check to verify a user requested a password reset. As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner.
It is advisable to modify your WordPress admin username from default “Admin” to something else. Than can be done only in the MySQL database. That doesn’t solve all of the problems, but it renders your WordPress admin account less vulnerable.