The composing of questions really doesn't help @woodyuk.
A quick look at my Vodafone account, (handy that it's today that I chose to update all my passwords and email addresses everywhere), and it shows me I've a hidden "secret word", and a visible hint.
The hint has not helped to remind me of the secret word, (which I'd forgot setting let alone the content). I can guess, and the guess may even be correct, but if I ever need to use it or change it it's much more likely that I'll have to call them.
It is the lack of this ability to call and verify by other means which presents the biggest obstacle for people like myself with severe memory issues.
That's one of the reasons I love them so much, (and Lloyds and Nationwide and others), because they're all willing to work with me and identify me via other means that I can remember, like my national insurance number, my NHS number, my partner's date of birth and name, things like that.
This could be possible with giffgaff but you've problems with remembering the format. For instance if one of the security questions was "What position did you play in soccer" and the answer is center back, you can write that in a number of different ways and you've gotta remember which one you used or you're locked out.
When you can call, the format the answer is written in doesn't matter, you'd be able to say "center back" and pass even if you wrote CB or CD on the form, because the human can apply common sense, you can probably even pass if you say "central defender" in such a situation because of course they're all the same thing.
Forms can't make distinctions like that.
I've been locked out on capitalization errors before and not being able to remember how much of someones name I used and how I capitalized it.
But yeah you're right about the email address change, which is why that should also be two factor authenticated, (to the old address), and email addresses should be verified anyway which they currently aren't.