From what I can tell, if I’ve already created an account with my email address (say, via GitHub), then I sign out, then sign in in via another service (such as Facebook) where I have the same e-mail, I’m logged in to my Discourse account with no further steps.
Here’s why this is a bug:
Say Alice has an email address, and a Facebook account, but not a Twitter account. She signs up for an account in Discourse using her Facebook account.
Later, Eve creates a Twitter account with Alice’s email address. Twitter lets you use an account without verifying the email address, so she then signs in to Discourse with this Twitter account. Discourse sees this Twitter account has the same email as Alice, and so logs Eve in as Alice.
Associating a new endpoint with an existing account should require verification from an already-authorized endpoint.