Hi Konrad.
Thanks for your reply. Yes at the moment we are using the account merging rule but we have discovered a big security hole where, if a user already has a social account (e.g. FB) and someone tries to signup with Username and Password using the same email address, they can get access to the original user’s account. When this happened the original user (that first logged in using FB) received an email asking to verify the email and he simply clicked the link on the email because he already had an account in our system and did not think much about it. This automatically gave the second user access to his account.
I know that it was a user mistake (he should not have clicked on the link in the email verification) but it’s an easy mistake to make and we want to stop it.
I hope this makes sense.
Regards