First of all, we don’t have the ability to force push upgrades. Only if the user manually enable the automatic upgrade, the firmware will schedule a request to the server for the latest version of the firmware to be downloaded and installed. The trigger for the upgrade is always the device, and the user can disable it at any time.
Secondly, on version 4.x, the automatic upgrade feature has been removed. This scheduled request for updates mechanism has been removed instead of being enabled by default.
Finally, I am very sorry that the recent upgrade was an accident. Autoupdate should not work for cross-version upgrades such as 3.x → 4.x. We’ve removed the 4.x firmware from our servers as soon as we realized the problem, but a number of users still upgraded automatically.