I just changed my email address on moodle.org and it sent a confirmation email to the NEW email address. As a security precaution, should this be sent to the old email address instead with a message like "someone is trying to change the email address at moodle.org, click below to confirm this was you"?
May need to be sent to both - some people may be changing their email address because they no longer have access to the old one
Yes of course, should it follow this pattern then...
- Send an e-mail to the new address with a confirmation link.
- Send an e-mail to the old e-mail address with the option to revoke the change.
This way we can verify the new email address is correct but also alert the old email address in case the account has become compromised.