Why is payment disabled for those of us who already locked our payment addresses?
Because one miner lost money with locked address.
Thief login with his password, change payment address and then lock it.
There is no way for prevent such situation without additional verification by email.
I'm just wait when all active miners recheck payment addresses and update passwords.
Passwords, especially important passwords are really the responsibility of the users, not you. Your only responsibility is to keep the passwords on your system secure [ideally extremely difficult to impossible to retrieve even with physical access to the hardware]. A user should, for instance, NOT use their banking password as their forum password or their pool password or their email password or their rcairplanes.com (I don't know if that is real .. probably is) password. Many people are willing to use one common unimportant password for many locations where there is no real risk should it be discovered. People dealing with something important like their finances should definitely know better than to use the same password elsewhere. Also, the people working with bitcoin mining are all or nearly all pretty technically savvy and it goes without saying. Thus, if such a person had their account breached because they didn't use a secure password and used one that was available elsewhere [say a forum or something less secure ... DSLReports was recently compromised and passwords stolen, but even if that password had been one I use now, no real damage could be done; but as it stands, that is not a problem except perhaps on some benign site I may have registered and used years ago, but no longer use and maybe is still online]. Anything with financial information on record, uses a different password than others [and I keep most of those to a minimum anyway]. You implemented https not so long ago, and people had a chance to change their password after that time [and I did just that]. You are in no way responsible for this users loss and would not be judged poorly for not covering the loss, although, no doubt, if you did cover the loss, your social capital [in respect and honor] would increase [although some might think you set a precedent for yourself that may not be in your interest]. I don't know who this user is nor the circumstances, but did you follow the block chain at all to determine where it went? For all you know, the user logged in and changed the address himself, locked it and had it sent to the very same wallet as before. Did you verify the web server logs to see if access to his account was made from another address than is typical [assuming his isn't dynamic such that it changes frequently which is pretty rare these days unless you are on dial-up]. I refer to the user as "him" for lack of knowledge to the contrary, but also because
most techies who would deal with bitcoin mining are undoubtedly male which I doubt anybody would argue.
Long paragraph to say the obvious; I think you over reacted by locking payouts.
You are the pool operator though and can do what you feel is best and users will do accordingly. You have restricted their ability to trade on an exchange however and added delays between their initial plan to move funds [bitcoins or cash] to an exchange for trading and the time when such a trade can occur and in a volatile market, that can make all the difference between making or breaking the deal to trade. Private P2P bitcoin trades are less affected obviously beyond the delay of your payouts, but whatever they would get in return for sending coins may go up or down in price (BTC) by the time they get funds. For most, it probably isn't a big deal. I am just pointing out the ramifications and the likelihood that you prevented nothing [of what you intended to prevent] by your action.
Personally, I don't think your lock down was much of a negative reflection upon you, but perhaps a little one, but that is my opinion and others may not share it. I do believe that you probably didn't really think it through before putting it in place.
Fortunately, I am not doing any imminent trading nor am I mining on your pool [although I was less than a week ago], so it has no effect on me personally, but it does leave me with the knowledge that I might lose access temporarily to my mined coins through your voluntary action when I use your pool again [which I undoubtedly will; I still think it is a great pool].
Please take this as constructive criticism and my personal opinion and nothing more than that. It is not intended as an attack, or scolding or anything of that nature; just an objective [well, on a couple of points it is personally biased where I am clearly stating opinion] response.
