If you can get away with it, that is. Which won't be the case with most people starting their own site if they don't have a very high reputation/social proof/etc.
(As a site operator) the nice thing about a dynamic commission is you can use it to incentivize people to invest when you need investors too.
Secondly I keep thinking why do people actually do these things?
Given enough people and time, pretty much every thing that can happen, will happen. I'm kind of more surprised that he's not grateful that he will not lose access to his funds, just needs to wait 2-weeks for his 2fa email to be reset.
I'm digressing a little, but something similar happened to me, mostly due to a (now fixed) design flaw in blockstreams greenaddress wallet where they required 2fa which I used Google Google authenticator for. Google authenticator has no way to export the secret, and greenaddress had no way to even request a totp reset. To recover my funds, I made a very very low intensity brute force script (each attempt has a 1 in a million chance). Out of spite, they manually blacklisted my funds (0.1 BTC) and have held it ever since. I think if you compare how Daniel is handling it, compared to blockstream ... you'd see Daniel is pretty damn professional