[mjevans]

The email change is particularly disturbing. A good security design would be to send the old email a notice of change request and give them a link that can always be used to undo that change (which might require the at the time older password as well).

[deckar01]

Most services don't do that. I have had my personal email account DDoSed before and requiring access to that inbox to change my email address would have been impossible for over a month.