I think there should be an extra check when changing your email. Make sure that you want to change your email from your old one too. This is important because if someone gets your password, they might change the password and email with a new one. You won't have a way to get your account back, except if you're already logged in, which doesn't happen all the time.
UPD: It automatically closes all sessions when changing password, so not even that is possible.