The WordPress Stats plugin was updated a couple of times recently. The first update, to version 1.1, moved the stats page to the blog being tracked, rather than at WordPress.com. With version 1, clicking the stats page in the WordPress dashboard opened the stats page on WordPress.com. Now the page opens in an iframe on the current blog.
WordPress Stats Version 1.1.1 was released soon after. It plugs a critical SQL injection security vulnerability.
I upgraded this blog and everything seems fine – the old stats remained and they’ve been updated. The instructions say the updated plugin can be copied over the old one, no mention of deactivating the plugin first. I followed my typical procedure and shut down the plugin first, then replaced it. When I restarted the plugin I had to re-enter the WordPress API key.