Similar, but worse.
I managed to get back an expired domain I'd lost, and started getting email from stripe.com about payments received. I went to the site, it had a "reset my password via email" link that I clicked, and subsequently received a password-reset token url.
I didn't precede further, but contacted them, explaining the situation, and they said they couldn't alter the email address as I wasn't the account holder, and besides, they couldn't remove an address - just replace it with a different one, and as I had no knowledge of their new email address, nothing could be done.
A few mails back and fore, I finally lost patience and said they should contact their sysadmin, and PR, and legal department for a solution, because if it transpired that they knew someone had unauthorised access to someone elses account, and decided to withdraw the few hundred dollars that were going in, it wouldn't go down well.
I was assured by reply that the email address had subsequently been disabled. It hadn't. I just ended up bouncing mail sent to that address, but checking the logs now, they still appeared for about 6 months (up until September)