Comment by VerifiedReports

Thanks for the anecdote backing up my longstanding suspicion on that.

This is also why using E-mail addresses as user IDs is monumentally stupid: People will think that they need to use their E-mail password, too. So now any entity with this ID policy becomes a gatekeeper not only to their own site or service, but the user's E-mail account.

One poor security regime or disgruntled employee at one obscure Web site can now enable identity theft on a grand scale, by exposing E-mail addresses and passwords.

There's a reason that banks and brokerages don't employ this ignorant policy. It's disappointing that Apple set such a poor example by implementing it. Then they had to run around trying to mitigate the harm with 2FA and other measures, after high-profile "hacking" attacks on journalists and celebs.