That IS scary! I've actually thought our accounts were much more safer than that being that only we hold our google account, its tied to our devices when we use Google Play. And we would THUNK all identification files are 100% wiped off when we prepare the device for sale..... inexplanable.
I sometimes wonder if theres' some back-end code or ID that some google charges goes by and not "include" as a safety-net validation the layer of identification that we have access to modify. So, no matter what we change or wipe on the 'front end', it may not change the origianl record or id on a back end somewhere and the device pings that "id" pushing a charge back to us the original owner (Hey! im out of bananas this morning, my brain goes wild with thought if i dont GIT my FIX)
Dont they KNOW who they are messing with!?! Show them your ordained certificate! that'll make'em back off!