How? Seems to me that if they're storing (and handing over) data that allows trivial account takeover, they have a broken security process to begin with.