Amazon hack?

[wickham]

I run a phpBB forum which is standard in that email addresses are hidden except from three administrators.

A member posted on a topic mentioning an unusual product. He has a username that doesn't include his real name and his email address isn't mentioned in any post.

A week later Amazon email him asking whether he wants to buy the product which is hardly ever mentioned on Google or anywhere else.

He naturally thinks that our forum has divulged his email address and Amazon have connected it with the unusual product in his post.

Administrators haven't published his email address so how has Amazon linked it to the post? Coincidence or some clever hacking?

Only last week I upgraded the forum software to 3.2.3. Has phpBB let in Amazon via some loophole?

[Itsallaguess]

Has phpBB let in Amazon via some loophole?

Isn't it more likely that he might have looked up the product whilst logged into Amazon, during the process of posting about it on your forum?

I'd think some sort of trace-link via that method is much more likely than Amazon hacking into your forum....

Cheers,

Itsallaguess

[Slarti]

I run a phpBB forum which is standard in that email addresses are hidden except from three administrators.

A member posted on a topic mentioning an unusual product. He has a username that doesn't include his real name and his email address isn't mentioned in any post.

A week later Amazon email him asking whether he wants to buy the product which is hardly ever mentioned on Google or anywhere else.

He naturally thinks that our forum has divulged his email address and Amazon have connected it with the unusual product in his post.

Administrators haven't published his email address so how has Amazon linked it to the post? Coincidence or some clever hacking?

Only last week I upgraded the forum software to 3.2.3. Has phpBB let in Amazon via some loophole?

More likely the email is not from Amazon!

Have you ever had an email from Amazon, other than in relation to the processing of an order? I know I haven't.

Slarti

[wickham]

I asked the same question on a phpBB discussion forum and here is a selection of replies:

Has he visited Amazon looking for that product? I am always getting emails from Amazon about items I have shown a passing interest in!

If you're logged in to amazon and you look at something they almost always email you a few days later to remind you that you looked and that you might want to buy it. It's standard practice for them. That's by far the most likely explanation.

There are in fact many ways to correlate what you visit with cookies, invisible cookies and HTML5 data. So if the user shared an Amazon product and once the post loaded it fetched that product on his computer. There by triggering Amazon to send him an email. That's my best guess.

The user is going to talk to his son in law who is an IT specialist. He has admitted that he may have been logged in to Amazon when he named the product in a post on our forum.

[UncleEbenezer]

The user is going to talk to his son in law who is an IT specialist. He has admitted that he may have been logged in to Amazon when he named the product in a post on our forum.

Does your forum have any Amazon content, such as using their APIs? Or advertising from an advertiser that might do somesuch even if they're not actually amazon resellers? If so, that might have tracked his visit to the both page in question and to his amazon login, hence connecting them.

That's what cookies can do for you if you don't use privacy settings to prevent it. Some people are OK with that, others object strongly.

[wickham]

The user is going to talk to his son in law who is an IT specialist. He has admitted that he may have been logged in to Amazon when he named the product in a post on our forum.

Does your forum have any Amazon content, such as using their APIs? Or advertising from an advertiser that might do somesuch even if they're not actually amazon resellers? If so, that might have tracked his visit to the both page in question and to his amazon login, hence connecting them.

That's what cookies can do for you if you don't use privacy settings to prevent it. Some people are OK with that, others object strongly.

No

[superFoolish]

He naturally thinks that our forum has divulged his email address and Amazon have connected it with the unusual product in his post.

I may have missed something about how the Amazon email is 'connected' to the post, other than the post mentions the unusual product. If the email from Amazon somehow mentions the actual post, or there is clearly some evidence that Amazon has linked the anonymous post to his Amazon account, then clearly, something fishy is going on.

However, it's more likely he has been researching the product and Amazon (or perhaps more likely, an affiliate organisation) has tracked him. As I understand it, one does not have to be logged into Amazon to be tracked; they just need to have a tracking cookie on the browser.

Having said that, I concur with Slarti that it is unlikely that the email is from Amazon. I have used Amazon for almost two decades, and I don't think I have ever received marketing emails from them.

It'd be interesting if you could get a copy of the 'Amazon' email from your forum user. My guess is that it is an affiliate, and they may well be breaching their Amazon affiliate contract.

It may not be worth your trouble, but perhaps you may also want to create a pinned post in your forums explaining basic security issues, and noting how to create unique email addresses which can then be used to track security breaches.

[UncleEbenezer]

Having said that, I concur with Slarti that it is unlikely that the email is from Amazon. I have used Amazon for almost two decades, and I don't think I have ever received marketing emails from them.

This must be a different Amazon to the one I've encountered.

They're one of very few supposedly-reputable companies whose email I've had to block 'cos they sent regular spam (the other I can bring to mind is Nectar). That's based on a life of carefully and consistently ticking all the boxes to opt out of being spammed, and most companies I've done business with respecting that.

[Slarti]

Having said that, I concur with Slarti that it is unlikely that the email is from Amazon. I have used Amazon for almost two decades, and I don't think I have ever received marketing emails from them.

This must be a different Amazon to the one I've encountered.

They're one of very few supposedly-reputable companies whose email I've had to block 'cos they sent regular spam (the other I can bring to mind is Nectar). That's based on a life of carefully and consistently ticking all the boxes to opt out of being spammed, and most companies I've done business with respecting that.

As I do with most places, I opted out of any marketing.
Signed in as me.
Clicked on My Account
In the middle of the page there are Advertising Preferences and Communication Preferences.
Under Communication Preferences are 3 options, the bottom one is where you opt in to receive marketing emails, by department. There is a opt out of all box at the bottom of the list. The you have to click the Update button.

I had to go looking for how to do it as I had set it so long ago.

Slarti