I sympathize with what you’re experiencing Sinael (it’s happened to me before) and perhaps I’m not fully understanding the issue with Chrono.gg’s account recovery/update system but I don’t see this as a security failure. I’m not sure if the email associated with your Chrono.gg account was changed after reading your post (which understandably you’d want changed) but emailing the original account of an email change is a security feature to let the original account owner know if it has been compromised and linked to an email they don’t control so they can begin the account recovery process and change it back. I’ve had multiple sites notify me of a password or email change after doing so that were sent to my account’s original email for the reason I just mentioned.
If your Chrono.gg account’s email wasn’t updated like your post said that is a problem and needs to be fixed because it doesn’t seem to be functioning like it should be at all. Simply notifying the original email that the account’s email was changed, even what that email address was, shouldn’t be a security concern if you’re using unique passwords for different sites. The worst that could be done is reset your Chrono.gg account password to gain access to it and then steal any keys that haven’t been redeemed. I think this is something you’re concerned about potentially happening.
This is a bit anecdotal since I have no evidence of the contrary, but I’ve had my Steam account (compromised once) for 14 years and I’ve never heard of Steam accepting digital Steam keys to verify proof of ownership. In fact Steam does not list digital keys as one of the accepted forms for proof of ownership in the account recovery process. I had to submit a photocopy of a retail key printed in the TF2 manual in my case. For what it’s worth, the last discussion I read regarding Steam’s account recovery process required even more legwork because the original account owner had their account compromised multiple times in the past and took issue with Steam Support requesting additional retail keys because of their specific case and the fact that few people still posses retail keys after all this time. Steam takes account security seriously and I really don’t think you should be worried about having your Steam account stolen because of your email address being hijacked as long you update your Steam account’s associated email address. If your redeemed Chrono.gg keys are attempted to be activated again and the account reminder option is selected it will send the updated, current email address the reminder email. Since my Steam account is old my login is the original email I used to create the account but have since changed it. My current email address receives the reminder message if I try activating a key I already have. You should also have Steam Guard activated to ensure the most safety with your Steam account but may want to create new backup codes within the app for additional assurance.
I hope I was able to ease your mind a bit and that you’re able to get all your accounts recovered safely. If Chrono’s account information updating process isn’t changing the email address when requested to then it definitely needs to be looked at since it seems to somehow have become broken - literally unplayable!
Edit: I think it’s https://haveibeenpwned.com that’s implemented a secure feature where you can input passwords you may have used (like the one for your email address) and check to see if it’s listed in any of the account info dumps the site uses for its databases. This would be useful if you used the hijacked account’s password elsewhere so you can make sure to change it on those sites and may even provide you the proverbial smoking gun that caused your email account’s compromise in the first place. If I recall correctly, the password is hashed client-side in the browser and never transmitted to the site in any functional form as a password during the lookup process. Troy Hunt made an interesting, although lengthy and technical blog post explaining the security behind it when he added the feature onto the site.