Why am I seeing someone else's information pre-filled in my form?

Level 7

First, lets start of by establishing how Marketo is able to prefill a form with lead information.

Whenever a lead encounters one of your pages that has munchkin in the source code the cookie in the lead's browser will be read.  If a cookie does not exist, then one will be created and associated with an anonymous record in your database, which will allow the lead to be tracked until they identify themselves.  The cookie makes it possible for the munchkin code to append new tracking activities to the lead's record in your database, and allows any form you have on your page to access the information in the lead record associated with the cookie.

A lead's browser can also be cookied when they interact with emails sent from Marketo.  Each link in emails you send from Marketo gets "wrapped" with tracking information specific to the lead it is sent to.  These links, when clicked, carry the tracking information to their browsers, and the munchkin is able to tell which record the email was sent to.

A form cannot prefill with any information unless there is a Marketo cookie present in the browser.  The trouble is that it's possible for someone to get cookied as or associated with a different lead record.  When this happens, all of their activities will be appended to the new record from then on, until their cookies are deleted.

A lead can be cookied/mis-cookied in a few ways.

1. Lead/User fills out a form.  If they're using their own email address then there's no problem, but if for some reason they'reusing the email address from a different lead record, then they'd be cookied/associated with that record. 

2. Lead/User clicks a tracked link in an email.  As described above, if the email was meant for the lead clicking the link, then there isn't a problem.

3. Lead/User clicks a tracked link copy/pasted from an email.  As I said, links are "wrapped" for the original recipient.  If the link get's copy/pasted anywhere else, the tracking remains the same.  Each new person clicking the link gets cookied as the original recipient and will then see that person's information in a pre-filled form. This is especially common among Coworkers who use Marketo and are testing pages and emails often.

4. Lead/User clicks a tracked link copied/shared from a forwarded email.  Similar to number 3, but instead of the link getting copied somewhere else, the whole email gets forwarded to other people.

5. Lead/User was sent a sales email as part of a mass send from the Outlook or Gmail plugins, which are only designed for 1-to-1 sends.  Sending to multiple email addresses will cause the links to all track to the first person in the To: field, and everyone else gets cookied as that person.

Because of the way Marketo works it's absolutely not possible for someone to see another lead's information unless they have filled out a form using the email address associated with that record, clicked a tracked link meant for another lead, or been part of a batch send from the Outlook or Gmail plugins.  The second is most common, but all of them will cookie the person's browser just as easily.

To prevent this, it's a good idea to use a separate browser for testing, or to clear the cache and cookies of your browser when testing pages/forms/emails.  You can also use Icognito mode if your browser allows it.

At this time it's not possible to dissociate a cookie/browser with a lead record.  Once that connection is made, the only option is to remove the cookie from the browser.

Not applicable

Just to note, we're experiencing this within our network between computers, not just browsers. IP issues?

Level 10 - Community Moderator

IP issues?

Doubtful.  Changing your IP address will not invalidate or hijack someone else's cookie -- unless you (not Marketo) are using a misconfigured web proxy that does not vary responses based on the cookie. Such mistakes can be catastrophic for authenticated sites but can have similar effects on the automatic, "casual" authentication maintained by Munchkin.

Level 1

Are there any work-arounds to this, such as having the landing page delete the cookie and reset with the tracked link from the email?

Not applicable

I really wish this were possible, but I haven't been able to figure out how to make it work.

Level 10 - Community Moderator

It's certainly possible to void the cookie and create a new association based on the URL token. How are you trying to do this?

Hi Sanford,

What we ended up doing for this was putting a page in front of our actual landing page. That page clears any existing cookie, grabs the "mkt_tok" string from the URL, and then redirect to the actual landing adding in the "mkt_tok" back into the URL.

If there is simpler or cleaner way to achieve the same results I would love to know.

Level 10 - Community Moderator

That's a way to do it, Raymond. But you can do the same thing from the destination LP itself. (And you don't necessarily need to refresh the page after clearing the cookie, you can delete and reinsert the form. Though it's easier to refresh you should then skip the Visit Web Page for the second page view, which takes another tiny bit of code.)

Level 2

Would it be advisable that if we noticed a pattern, for example, the data was being prefilled with a lead's email of example@test.com, that we could use the Form API to remove the cookie if the email is email@test.com before the form is loaded and then load the form as usual?

Level 10 - Community Moderator

Yes, you could check the properties of the mktoPreFillFields object in the <head> and clear both the object and the cookie before the form loads.