I’ve received a reply from Michael at CRC and they are on the case. Indeed I’ve checked back on the website and the specific vulnerability I tested has now been removed.
I’ll remind everyone else of one important thing in Internet security. Do not reuse login pairs of username/password or email address/password. Ideally do not reuse passwords at all, especially for important logins such as your email accounts or anything financial.
I should perhaps add that I have been a regular customer with CRC for a number of years and have had no significant issues with their service in that time, in fact on occasions it has been excellent.