Even though authentication is required first to do a password change.
What authentication are you talking about here?
IIRC, you can easily hack those accounts if their password are weak, and then change the password and e-mail after that. There will be notifications to the old e-mail address but then if you don't click it within the allowed time-frame then your account is gone.
Anyway, the connection looks strong.