There are far too many compromised accounts to think that this is coming from the users themselves, either because they have a weak password, or use the same password on multiple sites. The rate is too high.

While the user receives the email, instead to insert a link to lock the account, shouldn't there a link to recover the account too?