Change email security issue

[APXEOLOG]

So i've decided to restore some of my old accounts and faced this issue.
When you change email, confirmation letter goes to the new email. WTF? What's the point?
You can change password and email if you know only the password, like it was years ago...

[shubla]

Known issue,
Complained once.
They didnt do anything.
They dont care probably.

[jorb]

Will look at it.

[loftar]

I generally don't consider the e-mail address to be a security attribute of an account -- if someone has your password, the account is compromised anyway. The reason a confirmation mail goes to the new account is simply to verify that you actually own the account (as is also done when creating an account in the first place).

Conversely, if changing the e-mail address requires verification from the previous e-mail account, then that thwarts the main purpose of being able to change e-mail address on the account, namely to update if you've switched actual e-mail accounts.

[sabinati]

it's supposed to be an alert to the old account with a "no action required unless you did not initiate this" message

[loftar]

it's supposed to be an alert to the old account with a "no action required unless you did not initiate this" message

Such a message is indeed sent, though.

[sabinati]

Not according to the OP

[loftar]

There are two mails that are sent when switching e-mail addresses; one verification e-mail to the new address, and one "receipt" e-mail to the previous address. I'm pretty sure what OP was referring to was the verification mail, whereas I assume you're talking about the receipt mail, no?

[sabinati]

ok, as long as both of them are sent, it should be fine