Changing your email to someone else's locks them out. Registration checked for duplicate addresses; the update endpoint didn't.
I found this in a real cloud portal. Password reset doesn't recover the account; it silently logs the victim into the wrong one.