Brainstorming with @[email protected] how the account migration feature could be safeguarded against someone who's unrightfully gained access to your account, like with those people who didn't have 2FA on and re-used passwords.

Since attackers usually just try e-mail/password combinations from data dumps, they may not actually have access to the e-mail inbox, so requiring an e-mail confirmation for such an action (as well as account deletion) would probably be a good step.

#mastodev