In our app, we have implemented the logic that allows users to be able to log in through social connection as well as with email/password.
When the user first registers with email & password, we force them to verify the email and linking social connection is not allowed until verified.
The problem begins when the user originally creates an account with a social connection (at that point the email is by definition verified) and then someone else can create another account using his email and any new password. This creates a situation where an attacker can take over an account for as long as they know the email.
I am probably missing something, but I can’t come up with a good algorithm for how to overcome that. What are the best practices here?