I know that changing mail willy-nilly is not allowed and no site allows to do that…
And that’s why they ask for a password confirmation before doing so!
As I said before, I already changed my mail on more than a dozen sites (including Steam itself) and none of them sent anything to my hijacked mail, only asking for the confirmation of my old password and in case of some my security questions.
Steam recovery system accepts digital keys as proof of purchase. If you have several keys to the games that the account owns, you can claim that it’s yours and Steam is very likely to favour your claim as genuine.
The mail host I used (which is pretty popular where I live so I used it without care) was found by me to be not very good at keeping accounts secure - it had two-factor authentication, but for whatever reason it was found that through some specific steps one could bypass the phone check completely and thus reset the password and enter their own.
I’ve been accessing my Chrono.gg account only from 3 places/devices (home, phone and workplace), all in the same city - any access from “irregular” point/machine or another country for that matter would be not mine. I hope this can help, since Chrono.gg does not seem to implement any security questions or other forms of additional authentification.
As was said above - additional verification is fine, but not when sending mail back to initial adress is the ONLY way of confirmation - there should be something else added to the security.
Since all the keys I claim at this point on this site will be sent to my hijacked email, using Chrono.gg in any manner puts my Steam account at heavy risk of being claimed by the hijacker via key ownership.
I’ve already sent an email to email@example.com and my request was accepted, so we’ll see what happens next.