Email verification links still valid after changing it 2x

When creating a new account on IRCCloud.com the user is asked to confirm his email address. The email verification link is formatted in the following way: ircloud.com/verify-emai/{user_id}/{email_address}/{hash_value}. If the user decides to change his email address before he confirmed it, a new confirmation mail is sent to his newly entered address. At this point the old verification link is not valid anymore. However, if the user again changes it's email address, and uses the same address as he originally used to create his account the same verification link is sent again as the original one. The hash value in the URL seems to be generated based on the entered email address. This tells me that the hash is not very strong. I would would have expected some randomness here as well, at least to make sure that a new hash is generated the second time the user changed his email address. This can for example be done by adding a random salt to the hash. Ofcourse you will need to store this random value also to be able to recalculate the hash during verification. In short: - User creates account and receives verification link: verify-email/1/[email protected]/12345 - User changes email address. A new confirmation mail is sent with the following verification link: verify-email/1/[email protected]/85264 - Now the first verification link is not valid anymore. - User changes email address back to [email protected]. He now receives the exact same link as before: verify-email/1/[email protected]/12345.