AGISB wrote:
The validation email to the new account is just to make sure the email is correct, as my application requires a valid email so I can contact the user.
It seems to me like that's the user's problem, not yours. However, there is a security problem with not confirming it. A malicious user could conceivably create an account under an email, change it to a non-existant email, and then register again with the first email. Using this method the person could create as many accounts as they like with only one valid email address. A good way to circumvent that would be to put a hold on the email for say, 36 hours, before allowing any particular email to be re-registered.
Overall, I don't think you need to be too worried about it, most sites are pretty lax in dealing with changing emails, I find, and there's not too much trouble.