Does this Email Address that Shows for Auto-complete Mean My Computer or Account Has Been Hacked?

by

Autocomplete, or "suggestions" made when filling out a web form can be misleading, even frightening, until you realize where the suggestions come from.
Question:

I need your help with a problem I am having with Amazon.com. Yesterday, after
selecting an item to purchase at check out, I was required to sign in. When
I entered my first initial, the drop-down menu of my email address appeared.
However, there was also an email address which is unknown to me. I contacted Amazon
by phone, but I was disconnected. My question is: How did someone gain access to
my account on Amazon’s website to enter an unauthorized email address in the
first place? I thought Amazon’s website is secure.

I thought about sending an email to the unauthorized email address, but
decided that it might open my computer to something worse. Is there any way to
find out where this email might have come from?

Believe it or not, this actually has absolutely nothing to do with
Amazon.com or whatever site you might be logging into. Amazon wouldn’t
have been able to help you even if you had made contact.

To be even clearer: the appearance of that address in the Email field does
not mean someone gained access to your Amazon account.

To understand where that email address did come from, we need to understand
just a little bit about how your web browser works and the teeny, tiniest bit
about HTML.

It’s not scary. Really.

]]>
<![CDATA[

Entering data on web pages

Let’s use an example. Here’s something that you might see on a typical login
screen:

Email address:

In order to put that on a web page, such as this one, the web page author
actually writes something like this:

Email address: <input type=”text” name=”email”
size=”30″ />

That whole thing beginning with “<input” is the way that web page authors tell
your browser, “I want a box here into which the user can type text; it should be
30 characters wide and will have a name of ’email’.”

“Remember, it’s your browser – not the website – that’s
doing this.”

Then, when you click on the corresponding Submit or Login button, the web browser sends to the website something that says, “Here’s what was entered in the input field named ’email’.”

You’ll notice that most of that stuff you never see unless you look at the
actual HTML encoding of a web page. In particular, you never see what name the
web page author has chosen for any given field.

But conceptually, it’s all pretty simple; there’s a box that you type into and
the website author can give that box a name.

It’s important to realize that the name can be anything. I could
use name=”leos_corgi” and as long as the web server that was destined to
receive that information expects something called “leos_corgi”, then it works
just fine.

As we’ll see in a moment, though, there’s at least one really
common name.

Browser auto-fill

The first thing to realize is that it’s not the website that’s
providing that list of email addresses – it’s your web browser: Internet Explorer, Chrome,
Firefox, or whatever it is you’re using.

Essentially, all that the browser is doing is saying, “Oh, here’s something that
looks like something the user has entered before – I’ll provide a list of what
he’s entered before so he can choose from that list instead of having to type
it in all over again.”

Remember, it’s your browser – not the website – that’s doing this.

So, where did the browser get that list of email addresses to show you?

That’s where things get interesting.

A field by any other name

As it turns out, Amazon’s email address field – the one that you type into to
login – has this in it:

name=”email”

In fact, it’s extremely common for websites that ask you for an
email address to give that box the name “email.” They don’t have to name it
that, but it’s such an obvious fit that the majority of websites that ask you
for an email address will give that box the name “email.”

Heck, even here on Ask Leo! if you ask me a
question, the form that asks for your email address uses the name “email.”

Here’s the secret: your browser doesn’t distinguish between boxes named
“email” on different sites. To the browser, they’re all “email.”

So an address that you enter into one site – say my ask-a-question form – might then appear later as a suggestion for auto-fill on another completely unrelated
site – like Amazon.

And it’s all because we both elected to name the box where you type
your email address the same thing: “email”.

Watch it in action

Here’s a very simple test to show it in action:

“>Email address:

Enter a bogus email address into the box above and click Submit. Your browser only actually remembers when the field that you’ve typed into has been
submitted to a website. Don’t worry – that Submit should bring you back to this webpage on the Ask Leo! website.

Now, go to Amazon.com and go to their login page (you may have to logout
first).

In the Email field, type the first character or first few characters of
whatever bogus email address that you entered above. If your browser supports
auto-fill the way that most do, you should see that bogus email address that you typed in
on this page above as one of the suggestions for your Amazon sign-in.

Bogus email appearing in Amazon login

Simply because both Amazon and I used the name “email.”

So where’d that bogus entry come from?

The natural next question to ask then is where did that bogus email address
on your Amazon login come from?

I have no idea.

What I can tell you is that it was almost certainly typed into a field named
“email” on a web page somewhere that your web browser visited. It could be
any website. As you saw above, it doesn’t have to even be a login –
just a web page with a field that someone typed into that happened to have the
name “email.”

How do I get rid of it?

This varies by browser.

The option to look for is typically referred to as “auto-fill,” or in some
cases, relates to “form data.”

It’s much like clearing your browser’s cache, except that you want to clear
your browser’s memory of what’s been entered into the forms that you’ve submitted to the website.

In Internet Explorer, that’s Tools -> Internet
Options, in the General tab, under Browsing
history. Click the Delete button there.

Delete form data option in Internet Explorer

Make sure that the “Form data” option is clicked (along with whatever else
you might like to delete while you’re here), and click
Delete.

Now, the browser will make no suggestions the next time that you encounter an
entry field like “email.”

But it will start over, once again remembering the email addresses that you’ve
typed in so that it can provide them as suggestions that you can quickly click on
instead of having you re-type them the next time you encounter an entry field
with the same name as one you’ve entered before.

You know, like “email.”

Most of the time. Some websites can, and
do, use extensive Javascript to provide a more highly targeted auto-fill
feature. Gmail’s a great example when you’re composing a message and filling in
email addresses. The vast majority of websites, however, simply allow the
browser to provide the auto-fill functionality that we’re talking about here.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

9 comments on “Does this Email Address that Shows for Auto-complete Mean My Computer or Account Has Been Hacked?”

  1. Something to consider related to these boxes is that it is insecure to have your web browser remember your saved username and password for a website.

    Why? Because the username and password that your web browser saves for a website isn’t encrypted.

    As far as I know, Internet Explorer (all of it’s versions) doesn’t make it possible for someone to view this information using native Microsoft tools. Google Chrome and Mozilla Firefox have the ability to view this saved information in it’s “Options” or “Preferences.”

    However, this data in Internet Explorer can still be accessed using third-party free software. For my job and the side work that I do, I routinely need to recover this information. I use and recommend a piece of software written by NirSoft called “IE PassView.” Like other pieces of similar software, in the wrong hands, is tool can be dangerous but it can also be a life saver for someone that forgets their username and password.

    http://www.nirsoft.net/utils/internet_explorer_password.html

    Reply

  2. for what I do I use email alias’s

    example I sign up with say here and I use say
    ask-leo.com@

    [Leo can see by my email address (not shown) how I do it]

    or using say —> microcrap.com @ ask-leo.com

    this way, anytime I am inputting a new signup email address needed
    I will know if I have used or entered it before on a site!

    saves a lot of time for me

    but you have to look at how your email addresses are, if you dont have a domain to use
    you can buy one – sorry I cant let you know what else you can use or I would

    have a nice day

    Reply

  3. A simpler way to delete just one items from the list would be to highlight the one you want to get rid of, right-click and then select delete. The other email addresses in the list will not be affected.

    Reply

  4. The writer said they saw an email address which they didn’t recognize. If they are the only user of their computer, it means someone else accessed it and typed in an email address. Maybe it’s a computer shared by a couple, a family, or some other group, but if not, I’d want to know who was on it.

    Reply

  5. I noticed that on Amazon’s site, they have two areas to log in. The screenshot that Leo shows is the main login (when you click the “sign in” link at the top LEFT). That one doesn’t give me the drop down. However, if I click the “Your Account” link in the upper RIGHT, the email field on that page will display a drop-down. I’m using IE9 and I suspect that has something to do with what I’m seeing. Just FYI.

    Reply

  6. Leo, honestly, I have only once had auto-complete input a stranger’s name, and that was back in XP days, and the machine I bought was (I learned) sold unbeknownst to me refurbished. Auto-complete absolutely inputs my personal data (Firefox is awfully temperamental about it, though); I just haven’t had this experience since the early days of e-commerce.

    Reply

  7. Is there a way to make IE9 and Chrome not keep form data in the first place. Deleting the form data seems to be closing the barn door after the horse has left the barn.

    Reply

  9. You never have to worry about strange auto-complete E-Mail addresses showing up, if you turn off auto-complete in the first place.

    Just a thought!     🙂

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
Additional information is available at https://askleo.com/creative-commons-license/.