Inhibiting or outright denying the ability to update your email address
There’s a universal truth that you might not hang on to an email address for the remainder of your life for any number of reasons. You might have registered with a service that might collapse against the might of Google, or you may find that a service is just not doing it for you, or you might have realised that nobody’s going to look at your CV past firstname.lastname@example.org before dropping it into the shredder and maybe it’s time to grow up juuust a bit.
Of course, the time comes work on ditching that old address forever, and guess what? There’s that ONE service who decided they’re not going to let you change your email on your account there ever. Goodness knows why, but I can only assume whoever designed sites like this thought it was a remarkably great idea to have your initially-given address serve as the primary key for the record in the database holding your account details.
And it couldn’t be further from the truth.
Someone hijacks that email account? Well, you’re screwed. The moment the culprit becomes aware of other online account using that email, they’re just a password recovery away from taking each of those accounts as well, and there’s literally nothing you can do about it on sites guilty of the above. They have whatever personal details you had on that account, along with any content you had earned, purchased or otherwise obtained or added to that account, and you’re not getting it back. Similarly, if you lose the email account through service closure or deletion, you’ve got no way of recovering accounts permanently tied to that email address.
This also presents a headache for users who may wish to employ the use of email forwarding addresses as a security measure, as locking down an email prevents the ability to simply replace the forwarder with a new one in the event of a breach in which the attackers obtain a collection of user emails in plaintext, and not only grants attackers something to work from, but a fresh target for spammers that can’t be nipped in the bud.
A step down the ladder of fail from this is inhibiting the ability to update your email. By this I mean that some sites will prevent you from changing your email via the site itself, but it can still be changed if you contact the site’s support team. Sometimes they’ll change it there and then without any additional information. Sometimes they may ask for some identification. Either way, it’s still not ideal if you need to update in a hurry, and again, you might have to try in the event that you’ve lost access to your old email account for any reason.
From a security standpoint, I can sort of understand it, but it’s a double-edged sword.