[asd88]

> The inconvenience to the deactivated account is minor: one SMS verification code and the account is back, queued messages get received, etc.

Unless I spin up simple automation to deactivate your account every hour.

[yokto]

This is trivial to mitigate with per-account rate limiting.

On top of that, if a specific account is targeted at the rate-limit, a flag could be put in place to let support disable the automation for that account.

[dotancohen]

And once that happens, I then steal the target's phone.

If we're talking about deactivating someone's account via email, we are already talking about a targeted attack.

[yokto]

I'm not sure how relevant that threat model is (OS level security would probably be enabled for people susceptible to be targeted in such a way. Support could advise to do it before toggling the flag, etc.), but anyway the hypothetical flag would only be about making sure the automation doesn't happen and the ticket goes to support. Support can then manually handle the rare edge case and place more burden on the person attempting to deactivate the account.