Consider the following scenario:
DSA could narrow this issue by sending some confirmation email, but users would be annoyed with so many confirmations, the pipeline won't be hard to implement and those willing to ignore it can disable it easily. Besides that, I don't think another solution could be implemented to avoid that situation, a simpler approach would be to just add a comment to the docs explaining the risk of this setting.
This is a good problem to get solve, so I might take some time to implement the pipeline entry to send confirmations.
Associating by e-mail seems to be the default. This opens up a major security vulnerability in many existing DSA deployments that have OpenID enabled. Therefore, I feel you should at least change the defaults, perhaps even (temporarily) disable this feature completely.
Default SOCIAL_AUTH_ASSOCIATE_BY_EMAIL to False to avoid some secury …
…risks (while it's not removed). Closes #356
There's another way in also:
If someone hacks an account at any of the social auth providers, they can then associate to unprotected django-socialauth sites, even if the legitimate user never set up such a linkage.