Agreed, or in what will be a more likely case, someone who you have designated as a successor has their account compromised. Then, the attacker escalates that into an attack on your repositories. The 21-day countdown would still be a deterrent, but as an attacker it would be worthwhile to try this on every account you have successor access to and see if perhaps someone doesn't check their email.