I need your help with a problem I am having with Amazon.com. Yesterday, after
selecting an item to purchase at check out, I was required to sign in. When
I entered my first initial, the drop-down menu of my email address appeared.
However, there was also an email address which is unknown to me. I contacted Amazon
by phone, but I was disconnected. My question is: How did someone gain access to
my account on Amazon’s website to enter an unauthorized email address in the
first place? I thought Amazon’s website is secure.
I thought about sending an email to the unauthorized email address, but
decided that it might open my computer to something worse. Is there any way to
find out where this email might have come from?
Believe it or not, this actually has absolutely nothing to do with
Amazon.com or whatever site you might be logging into. Amazon wouldn’t
have been able to help you even if you had made contact.
To be even clearer: the appearance of that address in the Email field does
not mean someone gained access to your Amazon account.
To understand where that email address did come from, we need to understand
just a little bit about how your web browser works and the teeny, tiniest bit
It’s not scary. Really.
Entering data on web pages
Let’s use an example. Here’s something that you might see on a typical login screen:
In order to put that on a web page, such as this one, the web page author actually writes something like this:
Email address: <input type=”text” name=”email” size=”30″ />
That whole thing beginning with “<input” is the way that web page authors tell your browser, “I want a box here into which the user can type text; it should be 30 characters wide and will have a name of ’email’.”
Then, when you click on the corresponding Submit or Login button, the web browser sends to the website something that says, “Here’s what was entered in the input field named ’email’.”
You’ll notice that most of that stuff you never see unless you look at the actual HTML encoding of a web page. In particular, you never see what name the web page author has chosen for any given field.
But conceptually, it’s all pretty simple; there’s a box that you type into and the website author can give that box a name.
It’s important to realize that the name can be anything. I could use name=”leos_corgi” and as long as the web server that was destined to receive that information expects something called “leos_corgi”, then it works just fine.
As we’ll see in a moment, though, there’s at least one really common name.
The first thing to realize is that it’s not the website that’s providing that list of email addresses † – it’s your web browser: Internet Explorer, Chrome, Firefox, or whatever it is you’re using.
Essentially, all that the browser is doing is saying, “Oh, here’s something that looks like something the user has entered before – I’ll provide a list of what he’s entered before so he can choose from that list instead of having to type it in all over again.”
Remember, it’s your browser – not the website – that’s doing this.
So, where did the browser get that list of email addresses to show you?
That’s where things get interesting.
A field by any other name
As it turns out, Amazon’s email address field – the one that you type into to login – has this in it:
In fact, it’s extremely common for websites that ask you for an email address to give that box the name “email.” They don’t have to name it that, but it’s such an obvious fit that the majority of websites that ask you for an email address will give that box the name “email.”
Heck, even here on Ask Leo! if you ask me a question, the form that asks for your email address uses the name “email.”
Here’s the secret: your browser doesn’t distinguish between boxes named “email” on different sites. To the browser, they’re all “email.”
So an address that you enter into one site – say my ask-a-question form – might then appear later as a suggestion for auto-fill on another completely unrelated site – like Amazon.
And it’s all because we both elected to name the box where you type your email address the same thing: “email”.
Watch it in action
Here’s a very simple test to show it in action:
Enter a bogus email address into the box above and click Submit. Your browser only actually remembers when the field that you’ve typed into has been submitted to a website. Don’t worry – that Submit should bring you back to this webpage on the Ask Leo! website.
Now, go to Amazon.com and go to their login page (you may have to logout first).
In the Email field, type the first character or first few characters of whatever bogus email address that you entered above. If your browser supports auto-fill the way that most do, you should see that bogus email address that you typed in on this page above as one of the suggestions for your Amazon sign-in.
Simply because both Amazon and I used the name “email.”
So where’d that bogus entry come from?
The natural next question to ask then is where did that bogus email address on your Amazon login come from?
I have no idea.
What I can tell you is that it was almost certainly typed into a field named “email” on a web page somewhere that your web browser visited. It could be any website. As you saw above, it doesn’t have to even be a login – just a web page with a field that someone typed into that happened to have the name “email.”
How do I get rid of it?
This varies by browser.
The option to look for is typically referred to as “auto-fill,” or in some cases, relates to “form data.”
It’s much like clearing your browser’s cache, except that you want to clear your browser’s memory of what’s been entered into the forms that you’ve submitted to the website.
In Internet Explorer, that’s Tools -> Internet Options, in the General tab, under Browsing history. Click the Delete button there.
Make sure that the “Form data” option is clicked (along with whatever else you might like to delete while you’re here), and click Delete.
Now, the browser will make no suggestions the next time that you encounter an entry field like “email.”
But it will start over, once again remembering the email addresses that you’ve typed in so that it can provide them as suggestions that you can quickly click on instead of having you re-type them the next time you encounter an entry field with the same name as one you’ve entered before.
You know, like “email.”