Re: AT&T did the same....
Not at all surprised with AT&T. I think they have at least four separate databases containing an email field. They are not all updated upon changing your e-mail, via one of the many ways to change your e-mail. One of them does not work with plus addressing aliases from gmail. I think it is the paperless billing, but part of it does. I could register and verify and receive email from the paperless billing except for the last step where I would receive paperless bills, but I would get other notifications pertaining to paperless bills at the plus address. I eventually created an att alias email on my domain.
On a related note with AT&T, They plastered another layer of security over their insecure ad-hoc system. They implemented 2FA via SMS, but only to AT&T numbers, and only to an AT&T number on the account. High fives and adjourn for beer after that meeting, eh. So, when I find myself working out of town where there is no cell coverage but I can get wifi, I cannot login to my account. Of all the 2FA options available SMS is the most vulnerable to interception. The backend TOTP generation is the same as used with tokens without the swiss chees SMS. They refuse to acknowledge that the 2FA they implemented keeps me out, but not a determined hacker.