This can be easily fixed by creating a random string on account creation. Once account is created the random string needs to be used in trollbox to activate the tpg account.

Not hard, should only take you a few mins to add a rnd string gen along with activation on string use. You already parse the entire trollbox so might as well add a verification in there that way.

the random generation has to be nothing fancy even rand(5,10) etc would work. Although you love to use the unix time stamp