Wow, so here comes a bit of a rant. They take security extremely un-seriously:
I was locked out of my account because I signed up with an email address containing a
+, which they no longer consider a valid email address. Contacted them to enquire what to, and was told the following:
In order for you to access your account, please can you let us know if there is another email address you wish to use that does not include a special character?
The email they had on record for me was of the format
So, I send them an email from my email address
email@example.com (so different from the one that they had on record for me!) requesting that they update my address to
Shortly afterwards I receive an email advising me that they had actioned this. Without any further request for verification at all.
So, ultimately for all intents and purposes I have initiated an account take over on the flimsiest of evidence. (I did reply to an email they sent to the registered address, but the “From” address that I used in my reply differed from the one they had on file for me.)