Reportedly there is a gigantic open security flaw they are addressing in a future firmware update… The initial temporary SSID stays active and open.
Maybe that e-mail message is their due diligence in the meantime. (Or maybe it’s phishing.)