This is not true - most of the time all you need to do is fill out the captcha. In some cases (when our systems detect something suspicious about your network), we would request an additional email address.
Even in those cases, the email addresses are not tied to your account - we only save a cryptographic hash of your email. Due to the hash functions being one-way, we cannot derive your data back from the hash: https://proton.me/support/human-verification
While we did use phone verification in the past, this is not the case any longer. Phone numbers were stored in the same way as the email addresses, so, again, we have no way to derive them back from the hash.
> While we did use phone verification in the past, this is not the case any longer. Phone numbers were stored in the same way as the email addresses, so, again, we have no way to derive them back from the hash.
I've no reason to doubt this but brute-force cracking a hash known to be from a phone number would likely be pretty trivial.
Fwiw, I use protonmail and trust it more than most other services. But my threat model doesn't involve technically capable adversaries directly targeting me, certainly not ones that could compel protonmail to divulge phone number hashes.
> Due to the hash functions being one-way, we cannot derive your data back from the hash
This isn't true in practice. It's not hard to build a big list of ~every email address (give or take), and have a GPU churn through them all until you get a match.
If you've ever received a spam email, your email address is on such a list.
argon2id with dynamic salt should effectively prevent this, but it will also not allow to tell if two users have the same e-mail or not -- which I suspect is the main reason for hashing in the first place.
If equality-check is required to prevent e-mail reuse by spammers then argon2id with static salt rotated every few months will be reasonably strong too.
Of course I have no idea if any of this is implemented or it's just sha256(email). Just replying to the question of general feasibility.
While we did use phone verification in the past, this is not the case any longer. Phone numbers were stored in the same way as the email addresses, so, again, we have no way to derive them back from the hash.