Yes. I did add a security question and a pin code to the account. Since I got into my account within minutes of receiving the email about the unauthorized password change, I may have preempted any further unauthorized activity. I was a bit worried about my credit card info and deleted the credit card on the account. The support person I spoke with did not seem worried about the unauthorized password change though he promptly added extra security layers (pin and security question).
Was the email about an unauthorized password change or an unauthorized change of email address? Post #5 above seems to contradict the OP and thread title, which are about changes of the email address attached to the account.