How to revoke a certificate without account key or email

Yes. The validation -- authorization -- lasts for a certain amount of time. I think it's currently 90 days, though they intend to lower it further: Upcoming API changes The attacker can continue issuing certificates until it expires, covering a total of about 179 or 180 days.