I'm extremely surprised as well. This seems like a obvious vector for an impersonation attack. A malicious user could do this, then perhaps they would have more success submitting a malicious change to "correct a flaw in their previous commit"

At the very least, repo owners should have some better control over how attributions display when the user is not a project member or the email used is not verified to an existing user.