Ubercart

I thought that might be the reason, and I considered it ... but then I couldn't think of any drawbacks to it.

So, let's say you order something for someone else's account... the worst thing that can happen is you're never able to login and see your order status. The address info and payment info all comes from the order that was just placed. But if you do have an account, it would seem like a bigger deal to force someone to login to purchase.

Aye, it sounds like there are benefits / drawbacks to both options. From a conversion standpoint, I don't want anything preventing from paying. For example... what if that person can't remember the password for the account on the site? We're injecting a lot of hassle into the checkout process if they have to research it all before they can ever convert. Perhaps the thing to do is update the message here to instruct users to verify that they typed their e-mail address properly. But without a clear benefit over the current situation, I'm not inclined to change the behavior. Happy to hear others' opinions.

I might review a patch that did that, but it's not something I plan to do myself.

Why can't we force a user to login before they change any information like this?

This is how Amazon (and probably any other site) does this regardless of whether or not they allow subscriptions. Any time a user is attempting to change something account-related, it asks for your password again. So, I think, if you're attempting to spoof someone's account, or to make a purchase using an existing email address, UC should know about it and say "We have an account with that email address. Please enter your password to continue. Forgot your password? Click here to reset it."

There's really, in any sense that I can think of, NO reason for checkout to ever be completely anonymous. Yes, you allow users to make their first purchase anonymously, by only asking for an email address - but you should email them a password to use in their return business.

Perhaps we force the email address / account to expire after a certain amount of time has passed? If a user is only buying something from your store every couple months, maybe you move them into a "stale" or "inactive" state, and when they try to make another purchase later on with that same email address, intercept it in the middle and say what I mentioned above. You could alternately word it along the lines of "Your account has been inactive for x months. Please confirm your email address by clicking this link." At that point you send them, essentially, a "one-time login link" along the lines of what Drupal already does, just to confirm they are who they say the are. Then you can proceed with checkout.

Those are my thoughts, it really does seem to be a security issue in my opinion. Not that your site is ever really insecure (unless as Lindsay says there is some breach of CIM information) - but it gives the illusion to the customer that their account has been compromised. This is especially important for someone like me, who runs a large site with many customers - many of whom are incredibly tech-savvy.