Linking two user accounts

In our app, we have implemented the logic that allows users to be able to log in through social connection as well as with email/password.
When the user first registers with email & password, we force them to verify the email and linking social connection is not allowed until verified.

The problem begins when the user originally creates an account with a social connection (at that point the email is by definition verified) and then someone else can create another account using his email and any new password. This creates a situation where an attacker can take over an account for as long as they know the email.

I am probably missing something, but I can’t come up with a good algorithm for how to overcome that. What are the best practices here?

Hi @shurika

Welcome back to the Auth0 Community!

Thank you for posting your question. I will comeback to you as soon as I will have more details.

Thank you for your patience