what precautions to take when linking an existing user with a fb account

I was going through devise omniauth documentation and came across the below snippet.

It shows an example but in the note suggests that for an actual live app, precautions must be taken.

What kind of precautions could be taken here for an actual live application?

def self.find_for_facebook_oauth(access_token, signed_in_resource=nil)
  data = access_token['extra']['user_hash']
  if user = User.find_by_email(data["email"])
    user
  else # Create a user with a stub password. 
    User.create(:email => data["email"], :password => Devise.friendly_token[0,20]) 
  end
end

note: This is si开发者_StackOverflowmply an example. your application must take precautions if using User.find_by_email to link an existing User with a facebook account.

The warning is strangely cryptic, but the code snippet suggests that they are referring to the danger of trying to match an existing user account (created directly on the website or through some non-Facebook registration) with a Facebook account based solely on finding a matching email address. Many users would probably end up with a new account created even though they already had one.