No, it wouldn't be a cookie stored in your system -- that would be the RIGHT way to do this. Instead, Nashbar is including the info in a non-encrypted page on their website, so that anyone with the right link can see your account information -- even without logging in as you. That is the only way this could have happened.

And it's really bad. It's beyond stupid. Websites that store much less sensitive information than addresses and phone numbers and possibly credit card numbers do a better job of hiding private information. See, for instance, Team Estrogen -- if I send you a link to a page in this forum, when you follow the link, you are still logged in (or not) to your own account; you don't see the page the way I see it when I'm logged into my own account. That's the proper way to do things, and I don't even understand how someone at Nashbar.com could have screwed it up so badly. Somebody needs firin'.