Previously, when updating your cPanel's contact email addresses, you can do that without a password.
For increased security, cPanel now requires users to enter their account's password to update their contact email address(es) in Home >> Preferences >> Contact Information.
Why is this important?
Imagine that a malicious user has been targeting your cPanel account for a take-over.
The malicious user knows that the cPanel account has no two-factor authentication enabled.
To complete the take-over, all he or she needs to do is to change the cPanel account's email address.
Once done, he or she can lock you out of the account, and gain access to your billing account, all your emails, and data.
With this, he or she must have access to your cPanel account's password to remove your contact email address and add his or her's.
But please note that this is not enough to keep your account completely safe.
If this person gains access to your password, he or she can meet the "use your password before updating contact email address" requirement.
As has been suggested before, we encourage and recommend that you:
- enable two-factor authentication at cPanel >> Security >> Two-Factor Authentication to prevent unauthorized access.
- add another non-cPanel email address (Google, Microsoft, etc - remember to whitelist your domain) at cPanel >> Preferences >> Contact Information to get a notification when someone accesses your cPanel.
