Spent too much time today on the telephone with Apple support. Got to a Senior Tech Support Supervisor, who was bright, articulate, and pretty savvy about Apple, but not so savvy about practices outside of Apple.
The gist of it is that whoever set up the account using my email address as an ID was able to get back in and change the password I had changed. I don't want to expose the details, but I think they still have a problem. I suggested they boot it up to management level... as IMO it's potentially a big issue.