Joker.com. Credit to them they fixed it reasonably quickly, but its a horrible policy to default to enact the change if no response if given. Their reasoning was what else would they do if someone got locked out of their email - they need a way to recover their domain somehow, and they ask for ID to be submitted, but as seen, that is trivial to fake.

The only real solution is to tie the accounts to the digital identity of a person/company and enforce strong authentication for these cases. Not sure if there's already some EU level solution to this. This is of course pretty complicated to implement, but it would be a valuable extra service for customers.