I am not sure if it has been discussed here or not but excuse my rush here...
Looking at all these hacked/locked account issues and the time needed to recover them manually, I feel very insecure for my account too. Although I always use strong password, 2FA where applicable - all sorts of things to ensure the highest security but still anything can happen anytime. It could be my mistake or it could be system leak, which actually does not matter. What matters is once an accident happen then the account holder is facing all sorts of hassles which is frustrating.
Coming to my point...
Whenever your password is changed (except by an administrator), you will get an email about it.
Whenever your email is changed (except by an administrator), your old email will get an email about it with a link to lock your account. The link is valid for 14 days.
I actually do not understand why the email to lock? Instead of the link to lock the account why can not the system send an email asking to revoke the request if the change has not made by this email account holder?
I think this could be a decent procedure....
If an account (bitcoinTalk) requests for password and/or email change then
send an email to the last registered email address asking for approval. Send a link which will confirm manual approval for the change requested. If the original user requested the change then they are liable for their action. Now,
if the user do not have access of the email address only then ask the mods/admins to help them out. I believe this small tweak in sending email, will be saving a lot of time for both the users who are victim and mods/admins.
Update:
A little correction...
For password change send approval email to the current registered email account and for email change send approval email to the last registered email.
