Ran across a site where if one changes the email address associated with the account, it sends the confirmation email to the new address.
Say, I am a Blackhat and used a phishing attack to get the password for the account. Having legitimately logged in, I then change the email address associated with it from firstname.lastname@example.org to my email@example.com. Sending the confirmation to blackhatalias rather than the victim ensures a compromised account will get altered. Strong security would want to prevent the change unless the owner of firstname.lastname@example.org confirms the change.
Though, it does look like an email was sent to email@example.com almost 3 hours after the confirmation saying:
This notice confirms that your email was changed on site Forums.
If you did not change your email, please contact the Site Administrator at
Still scary. The blackhat has probably already made off with the data and done the damage.
I get the temptation to allow users to change their email address to a new one. It prevent support phone calls because if they no longer have control of the existing account, users can simply change it to another address they do.
Of course, the site in question also does not have Two Factor Authentication. But, then it also is just a support forum. So, the ramifications of losing the account is impersonation at worst. They could ask or answer a question as me or change the profile to say something demeaning.
From Email Changes published January 08, 2017 at 08:40AM.