Description:
if you know the email address of someone with an account on the forge, go a register the same email address and you will be the new owner of that account.

How to repeat:
Create a new account and fill in the fields with anything you want, but just make sure you use someone else's email address.

And you will see that you are going to be logged in with no problems under the already used email address.

Suggested fix:
make sure email address was not already used.

Thanks for your bug report.
Verified as described.

Thank you for a problem report. 

I was able to created 2nd account with the same email address but different password and other attributed. When I tried to login, though, only the the password for initial account with that email address worked. But(!) I was logged in then with "Display Name" of 2nd account. Do you see the same behaviour?

Yes, I had to use the first password but it does show the second "display name"

The only way I found so far to login without knowing the password is to create a new account using that email address once again.

Anyway, this is a bug.

Hi!  I'm checking into this.  For what it's worth, the table in question has a unique index on the email address field, so no two accounts can be created using the same email address.

Likely, what is happening is that instead of error-ing out with a message saying "Email already in use", the account with that email is being overwritten with the new account information, essentially bonding the old account with the new user.... :(

Anyway, I should have this figured out shortly...

Cheers.

Since this is a critical bug, I would like to get feedback on whether the patch I just pushed fixes all these issues.  I cannot now reproduce the issues on my local environment.  Please test on forge1.mysql.com and let me know if you can repeat the bug's behaviour.  If not, I will close this.

Patches in r378.

Yep, it is fixed now.