It is necessary 30-day notice is required on the steemit.com website when the recovery-account is changed, for example, the red text in the profile "your recovery-account has been changed, if it was not you, then your password was compromised, change the password and change the recovery-account"
I think it's not difficult to do, do not even need to edit the blockchain.
Because if an attacker steals your password, he will change your recovery-account. You will not know about it. After 30 days, the attacker will steal the account. And you can never restore it. It's worse than on facebook.
I have already told golos.io about this vulnerability and it will be fixed.
I apologize for my bad English, my telegram