Maighstir: Would you want an e-mail to a secondary address to confirm whether you're certain that you want to change your primary e-mail or password on GOG?
hyperagathon: That would indeed be acceptable, unlike the measures I listed. Personally, I'd still turn it off given the option. GOG currently has it backwards - they send you an email after you've changed your password. Sending one before the change can occur and asking the user to confirm would have prevented the attacks we've read about in the forum, provided the user's machine wasn't infected. But without that provision, there'd be little point in sending an email to a different address as well.
Of course. The idea of sending to a secondary address to confirm that you wish to change your primary one is just that, confirming that you actually want to change (perhaps by clicking a unique link in the e-mail and making the confirmation), not to confirm that it
has been changed. You could, of course, sent an e-mail to the primary address instead, but using two addresses that each confirms the other is useful in the case that you lose access to one.
(Losing access to your e-mail address is rather common in my experience, as it seems people commonly use an address provided by their ISP or their workplace rather than from an independent provider such as Yahoo or Google, and thus lose access when they switch ISPs or jobs.)
