Let's call out the bollox of using email addresses as login IDs. A user ID and a password taken together are a long string. Doesn't it make it easier to guess the string if you're given half of it? And an email address is one thing that you do tend to give out. It's a mitigation, but no more, if you're able to set up individual addresses for individual sites but the basic rule should be to have email address as a separate field.
Example 1. PayPal. The ID is the email address. OK, I can set up a unique address for this but I then find that hands out that address to merchants. Evidence? I had to change the PayPal ID (a pain in itself) because a merchant to whom I purposely hadn't given an email address decided it was a good idea to spam me using my PayPal ID. So PayPal, acting as a banker in that it's able to handle my money, is happy to hand out half my login credentials to a 3rd party. I'd like to think that they've stopped that crap under GDPR but I don't expect they have.
Then there's the assumption that an email address is a guaranteed to be unique and permanent ID personal. It's neither.
It doesn't necessarily have to be a unique individual address. Companies who adopt this tactic are quite happy to tell you to contact them on something like firstname.lastname@example.org.
And it certainly doesn't have to be permanent, especially if it's an ISP provided address.
Example 2. I have a login at IBM which includes the name of my second (or last but one) ISP who, before I left them, had been taken over at least 3 times and hasn't been a valid, or at least a used, email address for at least 10 years. They won't allow it to be changed but do at least allow a separate, working, address to be provided.