AFAIK when a user changes their email or password they aren’t emailed about it (I certainly wasn’t). This is potentiallly a security issue as an account that has keys on it could be hijacked and sold without the users knowledge. When changing an email, both ends should get verification. Changes to passwords should at least use a verification code or something. Hope you can fix this soon!

Thanks for pointing this out! We’ve had a task on our to-do list to take another look at the forgot/reset password flow for awhile. I’ll bump that up in priority and we’ll definitely take a look at it.