DeletedUser
As I understand the current game system an email/password can be changed via 2 options:
1/ being logged into the game and changing it via your profile
2/ by "forgot password" from the login page
Now option 1 is open to abuse, there is no confirmation to establish that this is the player making the changes. Therefore should a hacker gain your login information they could change your username/password without any challenge.
Option 2 requires email confirmation therefore providing a level of player security
A majority of the time a hacker will only have access to information gathered by various means (data harvesting), they will not have access to a players mail account.
So I am proposing that any change whether from either of the above options requires an email challenge and changes are not applied until the challenge is verified.
The only abuse I can see, is if a hacker has access to the email account.
1/ being logged into the game and changing it via your profile
2/ by "forgot password" from the login page
Now option 1 is open to abuse, there is no confirmation to establish that this is the player making the changes. Therefore should a hacker gain your login information they could change your username/password without any challenge.
Option 2 requires email confirmation therefore providing a level of player security
A majority of the time a hacker will only have access to information gathered by various means (data harvesting), they will not have access to a players mail account.
So I am proposing that any change whether from either of the above options requires an email challenge and changes are not applied until the challenge is verified.
The only abuse I can see, is if a hacker has access to the email account.