I need your help with a problem I am having with Amazon.com. Yesterday, after
selecting an item to purchase at check out, I was required to sign in. When
I entered my first initial, the drop-down menu of my email address appeared.
However, there was also an email address which is unknown to me. I contacted Amazon
by phone, but I was disconnected. My question is: How did someone gain access to
my account on Amazon’s website to enter an unauthorized email address in the
first place? I thought Amazon’s website is secure.
I thought about sending an email to the unauthorized email address, but
decided that it might open my computer to something worse. Is there any way to
find out where this email might have come from?
Believe it or not, this actually has absolutely nothing to do with
Amazon.com or whatever site you might be logging into. Amazon wouldn’t
have been able to help you even if you had made contact.
To be even clearer: the appearance of that address in the Email field does
not mean someone gained access to your Amazon account.
To understand where that email address did come from, we need to understand
just a little bit about how your web browser works and the teeny, tiniest bit
It’s not scary. Really.
Become a Patron of Ask Leo! and go ad-free!
Entering data on web pages
Let’s use an example. Here’s something that you might see on a typical login
In order to put that on a web page, such as this one, the web page author
actually writes something like this:
Email address: <input type=”text” name=”email”
That whole thing beginning with “<input” is the way that web page authors tell
your browser, “I want a box here into which the user can type text; it should be
30 characters wide and will have a name of ’email’.”
Then, when you click on the corresponding Submit or Login button, the web browser sends to the website something that says, “Here’s what was entered in the input field named ’email’.”
You’ll notice that most of that stuff you never see unless you look at the
actual HTML encoding of a web page. In particular, you never see what name the
web page author has chosen for any given field.
But conceptually, it’s all pretty simple; there’s a box that you type into and
the website author can give that box a name.
It’s important to realize that the name can be anything. I could
use name=”leos_corgi” and as long as the web server that was destined to
receive that information expects something called “leos_corgi”, then it works
As we’ll see in a moment, though, there’s at least one really
The first thing to realize is that it’s not the website that’s
providing that list of email addresses † – it’s your web browser: Internet Explorer, Chrome,
Firefox, or whatever it is you’re using.
Essentially, all that the browser is doing is saying, “Oh, here’s something that
looks like something the user has entered before – I’ll provide a list of what
he’s entered before so he can choose from that list instead of having to type
it in all over again.”
Remember, it’s your browser – not the website – that’s doing this.
So, where did the browser get that list of email addresses to show you?
That’s where things get interesting.
A field by any other name
As it turns out, Amazon’s email address field – the one that you type into to
login – has this in it:
In fact, it’s extremely common for websites that ask you for an
email address to give that box the name “email.” They don’t have to name it
that, but it’s such an obvious fit that the majority of websites that ask you
for an email address will give that box the name “email.”
Heck, even here on Ask Leo! if you ask me a
question, the form that asks for your email address uses the name “email.”
Here’s the secret: your browser doesn’t distinguish between boxes named
“email” on different sites. To the browser, they’re all “email.”
So an address that you enter into one site – say my ask-a-question form – might then appear later as a suggestion for auto-fill on another completely unrelated
site – like Amazon.
And it’s all because we both elected to name the box where you type
your email address the same thing: “email”.
Watch it in action
Here’s a very simple test to show it in action:
Enter a bogus email address into the box above and click Submit. Your browser only actually remembers when the field that you’ve typed into has been
submitted to a website. Don’t worry – that Submit should bring you back to this webpage on the Ask Leo! website.
Now, go to Amazon.com and go to their login page (you may have to logout
In the Email field, type the first character or first few characters of
whatever bogus email address that you entered above. If your browser supports
auto-fill the way that most do, you should see that bogus email address that you typed in
on this page above as one of the suggestions for your Amazon sign-in.
Simply because both Amazon and I used the name “email.”
So where’d that bogus entry come from?
The natural next question to ask then is where did that bogus email address
on your Amazon login come from?
I have no idea.
What I can tell you is that it was almost certainly typed into a field named
“email” on a web page somewhere that your web browser visited. It could be
any website. As you saw above, it doesn’t have to even be a login –
just a web page with a field that someone typed into that happened to have the
How do I get rid of it?
This varies by browser.
The option to look for is typically referred to as “auto-fill,” or in some
cases, relates to “form data.”
It’s much like clearing your browser’s cache, except that you want to clear
your browser’s memory of what’s been entered into the forms that you’ve submitted to the website.
In Internet Explorer, that’s Tools -> Internet
Options, in the General tab, under Browsing
history. Click the Delete button there.
Make sure that the “Form data” option is clicked (along with whatever else
you might like to delete while you’re here), and click
Now, the browser will make no suggestions the next time that you encounter an
entry field like “email.”
But it will start over, once again remembering the email addresses that you’ve
typed in so that it can provide them as suggestions that you can quickly click on
instead of having you re-type them the next time you encounter an entry field
with the same name as one you’ve entered before.
You know, like “email.”
† Most of the time. Some websites can, and
feature. Gmail’s a great example when you’re composing a message and filling in
email addresses. The vast majority of websites, however, simply allow the
browser to provide the auto-fill functionality that we’re talking about here.