Yea, I think the accounts should be linked to an email. But it is possible that once the account is hijacked, the user can request for an email change, effectively taking over the subscription.
For paid AV, you can consider checking out Bitdefender. Kaspersky is solid as well 🙂
