Hi there.

I've just changed my potn email address and clicked on the activation link that went through to the new email address and all is fine.

However, the old email address didn't get a confirmation. Wouldn't this be a slight security issue? I mean if someone managed to guess my login and logged into my account and changed the email address, I wouldn't neccessarily notice while using potn. But any PM's that would get sent to me (with private information like banking details for buying goods of other members for example) would get sent off to the hackers email address.

However, if a confirmation of the change went to both email accounts, I'd at least know what's going on.

Did that make sense/seem sensible?

I think I understand your question, but I don't really see the issue. It seems far more likely that someone would have hacked your old email account than the new one since it's been around longer. No banker or retailer is ever going to email private or confidential information in an email unless you request it.

Actually, I was more thinking that someone could guess a user's password (or just use the machine while a user was logged in with cookies), change the notification email address to be his own, and then leave the machine again.

Then the text of any subsequent PM to that user would be directed to the new email address without the user being aware of it (unless he/she notices that they're not getting email notifcations of private messages).

I agree that it's a small risk that this would happen, but when I changed my eBay email, I had to verify with the new email address and a notification of change was sent to the old email address also.

Always log out when leaving public PCs.

When user password is guessed all account features can be accessed. This is why you should make your password very secure, long, mixed numbers and letters and nothing from dictionary.

Personally. I think having username known is bad design in Vbulletin, e.g. in my EE login username is different from displayed username.