Linking accounts automatically is fine, but we should not have an option that can do that without requiring users to authenticate first.
There are so many cases where a user could have one social account compromised. They may not care that much about the account, they may never use the service so they've completely forgotten about it.
Imagine the following scenario:
* Tom signed up for GMail in 2005 - figured it was great and continued using the service the rest of his life
* Tom signed up for Twitter in 2005 - figured it was not to his taste and never used the account again
* Tom now read about two factor auth and configured it on his GMail account
* Mary (a bad person) figured that the password to Toms twitter account was 'password' so she's gained access to Tom's Twitter - Tom doesn't know, but he doesn't care either
* Tom signs up for a website that uses Keycloak and logs in with his trusted GMail account
* Now if we let Mary login to the website that uses Keycloak with Toms old Twitter account, without first proving she's Tom (which she can't), would be just plain daft!