Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

How Did a Website Discover My Email Address?

Question: I visited a website and two days later, I received marketing information through email from that website for their products. How could they know my email without me providing it when I visited the website? Could it be that they have group mailed somehow? The mail came on my Gmail account.

Depending on the site, it could be a coincidence. Many large companies use mass market email and the fact that you received a message might be completely random.

There are several ways that a company could do this… and again, it’s not based on paranoia. You just need to understand what technology these companies have that allows them to do this.

It all boils down to related sites or sites that use related advertising.

Become a Patron of Ask Leo! and go ad-free!

Related sites

Let’s say you visit Site A and buy something. You give them personal information, but at a minimum, you give them your email address.

Site A leaves a browser cookie on your machine, so whenever you visit, it knows that you previously bought something there. Now, Site A can tailor their site to your interests, keep you logged in, remind you of things you’ve purchased in the past, or do anything like that when you come back.

Now, you leave Site A and go to Site B to look around, but you don’t realize that Site B and Site A are the same company (think Gap and Old Navy1). Because the two sites are related, they share a database. They also share the cookie that Site A left on your machine.

Because of this, Site B recognizes you and looks up the email address in their shared database. As you leave, they send you an email related to what you were browsing.

Email EnvelopeRelated advertisers

Now, the sites don’t have to be related for this to happen. Two sites may have the same advertising partner which shares information.

Let’s say that you bought something at Site C. Their advertising partner works with Site D. The advertising partner may have access to information like your email address through Site C and may pass it on to Site D.

Whether an advertiser does this or not depends on the privacy policies of the sites that you visit. If you visit a site, they may have a Privacy Policy checkbox somewhere. As long as it’s checked, the website feels that they have your permission to share your email address with whomever they want.

In that case, a company unrelated to the site that you actually did business with (say Site E) could use this advertising network to get access to your email address and send you more information.

Ultimately, getting your information is merely a matter of data analysis for companies and advertisers. It’s really not that unusual (and not that difficult) for companies to basically share information as you do business or simply visit on the internet.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

Footnotes & references

1: I don’t know that they do any of the sharing I’m talking about here; they’re just an example of two stores that are actually owned by the same company.

49 comments on “How Did a Website Discover My Email Address?”

  1. “Many large companies use mass market email and the fact that you received a message might be completely random.” That’s spam by definition. I don’t think many reputable companies would do this as it would backfire with them being labeled as spammer by the recipients and even getting flagged on services like WOT. I’d tend to go with the ad partner theory where the person may have inadvertently opted in for affiliate advertising,

  2. Today I searched a few sites for eye glasses. I filled out NOTHING. About 15 minutes later I have an email for eyeglasses from a site that I didn’t even visit. I am an internet marketer. I understand how most everything works including remarketing, etc. This scenario boggles my mind and if it’s possible to get email addresses from a visit, that would do wonders for my Adwords campaigns.

    Any info?

    • I think it’s just a coincidence. You probably were just thinking eye glasses, and so you noticed that spam email more than you would have otherwise. The site couldn’t get your email unless you gave it to them.

    • Your comment sounds almost identical to the scenario described in the article, so I’d probably say it was either a coincidence or you accessed a website which shares a common advertising partner which shares a cookie with them..

      Shame on you Greg. Even if I knew a way to harvest an email through a search or a visit, I would never reveal it as it would be enabling spam.

    • Hi Greg, it’s not a coincidence in my opinion. Same thing happened to me. I browsed a website for 2 minutes and then I got an email from that very same company 2 hours later. I have never been on this website before. I didn’t fill out any info. I had fraud on my credit card that same day for $10.71 at Lowe’s. My cc was entered in manually from a car that I never use anymore. But that is the one that auto fills on my iPhone. It blows my mind that website could get my info from just me visiting. But there is no other explanation here.

    • It is not coincidence, I use a different email address for any site I give an email address to. Many sites are a visit for the first time and they still are able to get my main email address. That is why I came to this webpage to find out how they are getting it. e.g. the email address for this site will be askleo@ my domain name.

  3. Is it possible to receive porn sites and dating sites out of the blue in your spam email account without ever looking up any of it or putting your email in physically please is very important to know this my marriage depends on it

  4. I have 3 email addresses, one is personal and given to friends. I visited a website and 2 days or so later I received an email in my personal email for friends. I programmed for a long time and have played with computers too and thought I was careful about my personal email and cannot figure out how they got my email address given to friends. It may have been open on another tab in the browser. Is having an open tab email a security risk? I had about 30 jobs as a programmer or analyst and used many different apps and thought I knew something and cannot figure it out.

    • That definitely would be the kind of flaw which browser makers work hard to prevent. If one were discovered, the browser makers would patch ASAP. I won’t say a browser or any program doesn’t have vulnerabilities but it doesn’t seem likely in this case.

  5. Hi,

    Today I went on a finantial site to get some investment company rates – top 10 companies etc. They wanted some info. I put in random characters for name, wrong DoB, old post (ZIP) code, wrong phone number. Clicking on NEXT came up “our adviser will call you” and no top ten list.
    2 minutes I got an email “Dear …. the exact same random name I had entered” How can this be?

        • No. All I can think of is that something about your situation — cookies, cookies left by advertisers, information associated with other characteristics of your online session and so on — allowed the service to identify your actual phone number via other means.

          • I do have a static IP here. Is that broadcast by the browser? There are obviously other sites where I have entered my email address… but then again this was the only time I entered that random name.

            I think I will revisit it with different info.

          • Your IP address is not “broadcast” by the browser, but is available to every site you connect to simply by virtue of the way that TCP/IP and networking works. Even I can see it.

  6. I work retail and we sell products through a 3rd party app. I have only ever given that company (which runs the app) my work email address. I don’t do any shopping from my computer at work, and I’ve never signed in to the app or its website on my phone or home computer. Recently, the company emailed me at an old personal email address (emails are retrieved by my new email account) about an order that is definitely one for the retailer I work for. I am baffled. I’ve asked the company how they got that email address. I suspect they won’t tell me, but we’ll see.

  7. Same thing here. After clicking an ad in my email to check out a product, a vew hours later I get an email from them asking if I am still interested in that exact product. Should I clear my cookies?

  8. Yesterday, I went to a metal supply site and added some items to my cart. I then forgot about it. Never gave them my e-mail address. Never subscribed to them. Never clicked an ad, etc.

    Today, I received an e-mail stating I have left items in my cart from them.

    Not cool.

  9. How do individual parties get my email address? This is frustrating as hell. I have a website. My email address is NOT on that site, but it IS the one that’s linked with Google Analytics. From time to time I get emails from people wanting to provide me with SEO services. Maybe some are scams, maybe some are legit. I also periodically get emails from writers wanting me to post their articles. Are these people looking up my site on Google Analytics somehow, even though they don’t have my Google logins, yet somehow gaining access to data revealing my email?

    When I ask these SEO companies how they got my email, they NEVER respond. I haven’t asked the writers because I never want to post their articles, so I’m not going to say, “I can’t run your article, and by the way, how did you get my email address?” because I’m sure they won’t answer.

    I googled my question and can’t find the answer. (By the way, the email address I provided to post this comment is NOT the email address associated with Google Analytics.)

    • It’s better not to ask how they got your email address. Those companies are spammers and responding to their spam only invites more spam. Just mark those emails as spam. It’s all you can do.

      I get a lot of SEO spam on my website’s email address. All websites do.

      As for how they get your address, if you have a website, they send spam to something like info@{yourURL}.com or webmaster@{yourURL}.net etc.

      • Yes, also a good point. Or if your name is common/short/obvious with respect to your website (like, say, “leo” might be for you can expect a lot of spam that way too.

    • What’s the email address associated with your domain registration? That’s the most common thing.

      For the record, I get a constant stream of these the same requests. I’m convinced now that most are automated. Responding just isn’t worth it — I ignore them, and even mark most as “spam” since that’s ultimately what they are. Mark enough of them spam and a good spam filter will start throwing them into the spam folder automatically. it’s just not worth getting worked up over.

  10. I recently visited a website on my iOS device, after seeing a TV commercial for their product. I did nothing but browse. Shortly afterward I got an email from the company thanking me for joining their family. I had entered no information, nor signed up for anything. I get that cookies and affiliates can link all kinds of things together, but what was particularly disconcerting in this case was they emailed me at a SPAM-free work email address that I don’t share out, no social media is associated with it, nor do use it for any logins… It’s simply for work correspondence. I have another email address that I use for all logins, purchases, community forums, etc. Had I gotten contacted at that email address I wouldn’t have given it a second thought. Also, the work email address they contacted me at is my own domain, but I use private registration. Thoroughly baffled.

      • That’d be a pretty impressive coincidence. I literally get NO spam at my business email (my own domain). I’m not buying it…

        Since this is a fairly respectable company, I took the risk and contacted them. They were very responsive. They noted that they had a record of someone by my name having been into one of their brick and mortar locations in the past, but no email associated with it. I have never been in one of their stores, but I have researched their products many years ago. Their is almost zero chance I would have used the email in question when I looked into them before, if I provided an email at all. But I suppose it IS possible I did some coupon creativity back then with multiple email addresses. Unlikely though I’d have jeopardized that email though. Either way, they said they’d look into it, but did attempt to remove me from their mailing list. It took a few tries before the removal seems to have stuck. If they actually do look into this and can figure it out, I’ll be sure to share the results here.

  11. I like an answer to this particular one, I’m browsing the website Maui Jim looking at sunglasses, while I am on the site I get an email notification from Maui Jim. I’ve never been a customer of theirs, and I don’t know any related company how they would get my email. The email contained five of the sunglass models that I had been looking at, I feel very unsecured at this point. Can anyone add thoughts? Is there any way I can find out exactly how they got my email address?

    • To answer that last part, no there’s no way for you to find out, unless you asked and they told you. Ultimately the article discusses how I believe this happens. It feels creepy, but I consider it harmless.

  12. I had a situation similar to Rick B’s just yesterday, but even a bit more troubling. I was browsing a sewing fabric website I have bought from before, but not in at least a year or two, and I wasn’t logged in. My HUSBAND immediately received an email from them with a coupon and showing the items I’d been looking at. My husband has never visited that site, and he has never used my computer, so there shouldn’t be any cookies on it related to his email address. They emailed him at the email address he uses as his contact info with our internet service provider, which is the only connection I see but I’m interested if anyone has any other thoughts on how this happened. I contacted the site about this and they blamed it on their third party marketing company and referred me to their privacy policy. If they’d sent the same email to me, I probably wouldn’t have thought much about it. But to my husband??? There’s no explanation I can find, and it feels a bridge way too far.

    • IMO it’s all about the marketing data as well as all of the relationships we expose online without realizing it. For example, let’s say that company A uses advertising agency Z. You buy from A, years ago, and now Z knows your email. Sometime later your husband visits website B, which also uses agency Z. Now Z knows your husband’s email address. Note that and B are totally unrelated to one-another, other than using the same advertising agency.

      ANYTHING that allows the advertising agency to realize that your two email addresses are somehow related — perhaps you have specified both at your bank, or use one as a recovery address for the other, again at some site that uses Z for marketing — lets them now cross-market with amazing precision.

      That’s all hypothetical, but the bottom line is we expose a TON of information and relationships when online.

    • Last night I was talking with a friend at a bar about a nearby ski resort. When I turned on my computer, the Microsoft login wallpaper was a view of that town. They’re listening to everything. ;-) But seriously, some things just happen by coincidence.

  13. I bought a Hxxx car 10 years ago. I rarely receive emails anymore from either the dealer I bought the car from or the dealer which I used to have service my car 8-10 years ago. Recently I started a part-time job delivering cars our company has serviced to local dealers. When I returned to car over to a dealer for the Wxxxx Cxxx dealership yesterday I printed my name on the return form. When I got home that evening I had an email in my inbox from the local Wxxx Hxxx dealership on the other end of town. My email address has 2 initials followed by last name. Is this a “coincidence?”

  14. I went to a site, {link removed} and my email address was already populated on the page. I had never visited the site before. How did it do that?

  15. I haven’t read all the comments but searched some key words for anything or anyone mentioning the legality of this and nothing came up. My situation is that I visited a site and then received an email from that company a short time later. In my opinion, this is illegal and I was wondering if anyone knew of the actual law that covers this situation.

    • It depends on the circumstances.

      This isn’t legal advice, so take it with a grain of salt.

      “If you visit a site, they may have a Privacy Policy checkbox somewhere. As long as it’s checked, the website feels that they have your permission to share your email address with whomever they want.”

      If the checkbox was ticked and you inadvertently gave them permission, it’s not technically spam. If you’ve never given them permission, then it’s spam and might fall under any anti-spam laws in the country where the spam was sent from.

  16. Thank you Mark and Leo. I am in California and I have not provided consent. This is the first time this has happened to me and I actually think it is a tool or mechanism that this firm/site uses on purpose to get more business. I know this is the land of extreme capitalism but this has gone too far as now I do think more and more sites/firms will be doing this so this will only increase. It may not be illegal but I and many others around the world believe it should be. Throwing away one’s privacy for the almighty dollar is nothing but criminal cowardice.

  17. I use Roboform and have put details on there to fill forms when necessary. Could have these details have been picked up there?

    • The article says it’s either a coincidence or you accessed a website which shares a common advertising partner which shares a cookie with them. I once talked a friend in person about a ski jump in a nearby city. The next day that showed up as my WIndows’s login screen. Spying on me? I’ll chalk it up to coincidence. I see some remarkable coincidences very often.

  18. I ended up at your site due to the same situation as the person who wrote: “I’m browsing the website Maui Jim looking at sunglasses, while I am on the site I get an email notification from Maui Jim. I’ve never been a customer of theirs, and I don’t know any related company how they would get my email.”

    This practice is happening more and more often, and it bugs me to no end. I’ve started engaging with some of the companies that do it, and let’s say that results are interesting. Some are actually willing to discuss, others blow me off.

    The idea that these emails are mere coincidence is just bizarre, and I’d say a cop-out. It happens too often, too instantly, and too consistently to be coincidence. More likely it’s another issue that was mentioned here, that the offending company has a relationship with one we have dealt with before.

    But maybe it’s this: “Capture Email Addresses From Website Visitors Using These Tactics” seen at Lead Feeder’s site. [Please of course feel free to edit this if needed.] They write: “We use IP tracking to see which companies visit your website. Then, use our IP enrichment data or an email finder tool like [other site] to find the best email addresses and reach out to those companies.”

    In other words, they can quite creepily track us and they see that as a normal business practice.

    I’m planning to get a VPN. Which needs to be paid for, to get the privacy that in a better world we would already have.

    Thank you for your attempts to help us navigate the craziness.

    • A VPN wouldn’t stop those spam messages.When I get email like that i mark them as spam in the Google webmail page. It probably doesn’t do much good, but if enough people mark those as spam, maybe the email providers will blacklist those email addresses. They may thing their email is legit because the got it from a partner company, but the definition of spam is any commercial email you didn’t request.
      And that’s one kind of spam where address blocking works because they almost always send from the same address.


Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.