I guess Daniel should do a better job at explaining why he's making you wait the 2 weeks. Over the years people have never-endingly being trying to hack each others accounts. Sometimes it's even successful, as one one hand you want to do something simple like "all correct password attempts result in a login" but on the other hand, you have people constantly giving out their passwords (?!), downloading malware, sharing their physical computers with scammers, etc.
I know you sold the website to Daniel long ago, but with that level of login abuse, wouldn't it make sense to send a confirmation email on a successful login from a new IP address? That should severely reduce the number of successful break-ins since , as you said, email accounts are usually sealed off.