Drupal 6.9, phpmailer 6.x-2.0-alpha2
I had about 15 administrator-created users in a blocked status, and changed all of them at once to an active status. These users had been created in a blocked status and never had an opportunity to log in.
What seems to happen - as one of my email accounts was on the list - is that every user got a login invitation (with a !login_url link) for himself and every other user that was unblocked in that shot.
The effect is of course unexpected and gives an absolutely untrustworthy impression of the site doing such foolish things.
I don't make this a critical bug only because I am willing to activate 15 users one at a time. A site with a larger number of users *would* see it as critical ... and because of the security implications, I report it also to the Drupal security team.