Could this be generated because of a cpanel/WHM update?
It in fact may be. Check the location of /bin/passwd, it should be a symlink to a cPanel file:
lrwxrwxrwx 1 root root 38 Oct 14 08:13 passwd -> /usr/local/cpanel/bin/jail_safe_passwd*
In this case, the jail_safe_passwd bin file was updated for me on 10-22-2015:
update.1445491741.log:[2015-10-22 01:31:52 -0400] Retrieving and staging /cpanelsync/126.96.36.199/binaries/linux-c7-x86_64/bin/jail_safe_passwd.xz
update.1445491741.log:[2015-10-22 01:31:52 -0400] Set permissions on /usr/local/cpanel/bin/jail_safe_passwd-cpanelsync to 0755
I highly recommend that you review your update logs to ensure it's the same for you and not take "my word" for it, that it's safe. Also, the md5sum that I'm showing for my jail_safe_passwd file is:
# md5sum /usr/local/cpanel/bin/jail_safe_passwd