Seems like a case of a generic endpoint being implemented up update any field provided without consideration of other restrictions on said field. In this case we have a PATCH /api/v2.0/accounts/<account_id> endpoint which ultimately takes in a dictionary containing field/value pairs to be updated for the account id. By editing the request to include the email field, it can be updated to any new value without going through the normal verification process. While I cannot be sure without seeing Reddit’s code this seems to me like the endpoint probably just takes the provided fields checks if it exists and updates it creating this situation where you could provide unexpected fields to be updated.