I can give a real example of this that happened to me. I have a Steam account. Many years ago I created it using a Hotmail email account. I never used Steam for a couple of years. One day last fall I decided I wanted to do a little gaming, but I could not remember my account. I did the password reset but it never came through. I tried logging into my old Hotmail account, but they said it didn't exist. I re-created it, resubmitted the Steam password recovery form, and recovered my account _with_ saved credit card information.
Thanks for sharing. This is terrifying and it's the reason releasing the email addresses is a horrible idea.
The web runs on the assumption that you have access to an email address and you'll never lose control of it. Ignoring that assumption and opening up your old users to identity theft just because you want to reissue short usernames that will again be squatted on is kind of crappy.
Was your credit card still valid? Most cards aren't good for longer than 4 years, and chances are you had a few years on it when you signed up for Steam.
