It looks like in 2.7 the new events API went in: https://docs.moodle.org/dev/Event_2
and looking at \auth\db\auth.php, before when creating a new user it would do the following:
$id = $DB->insert_record ('user', $user); // it is truly a new user
// Trigger user_created event.
\core\event\user_created::create_from_userid($id)->trigger();
while in 2.8, it does:
$id = user_create_user($user, false); // It is truly a new user.
Which then kicks of a bunch of stuff around user creation, but also looks to do something related to password updates. Does the email they receive contain a password?
I'm working on updating our own system to Moodle 2.8, will let you know when I get to testing the db auth to see if something similar happens to us.