I just got this via email: Welcome to Firefox Add-ons. Before you can use your new account you must activate it - this ensures the e-mail address you used is valid and belongs to you. To activate your account, click the link below or copy and paste the whole thing into your browser's location bar: https://addons.mozilla.org/en-US/firefox/users/verify/1364892/... Once you successfully activated your account, you can throw away this e-mail. Thanks for joining Firefox Add-ons -- Firefox Add-ons Staff -- It appears to be me, however there was only one link to click, no way for me to complain that the link was not requested. I clicked the link and instantly someone else's password for my email address was active. I did not ask for the account (at least, I don't remember asking for it). But the email provides no way for someone to investigate the "registration" other than clicking on the link, by which time, the damage is done.
btw, if you don't have sufficient logging to remember all account details (original first/last name, registrant ip address, etc.) please let me know, i'll file a bug asking you to ensure that the next version retains such information.
I think it's pretty standard practice that if you didn't request an account, you don't click on the link confirming that you did request the account.
I agree with Justin. However, what we may need to do is add a maintenance job that will expire new user registrations after a little while (2 days?). We have quite a bunch of unverified user accounts that just take away space and block nicknames, but don't serve any purpose because nobody can log in before confirming their account.
it may be standard practice somewhere else, however bugzilla's standard practice has been two links. one to affirm and one to reject. i'm also used to this from other good services on the web. but yes, auto expiring is also a good thing (bugzilla tokens expire after a couple of days, in this case if you don't have a reject option then 2 days is a good maximum).
Bug 444010 cleans up inactive accounts and we have recaptcha to prevent a bot from creating thousands of users. I think we should move on.