How is this possible, you ask?
It's called "post-transaction marketing," and it's mostly legal. It's also annoyingly unethical.
From Privacy Digest:
Internet companies call this "post transaction marketing." To consumers it might feel more like electronic pickpocketing.
Some time after Frison-Thornton gave her credit card number to Classmates, a survey or free trial offer probably popped up. It didn't ask for her credit card number or any personal information so she clicked it.
But she didn't know that meant classmates would sell her credit card number to another company, like "Privacy Matters" which, ironically, offers a credit card protection service. Yet it put unwanted charges on Frison-Thornton's bill.
Pretty slimy, eh?
Internet companies argue that customers agree to the release of their credit card information in disclaimers often buried in fine print.
We're talking millions of dollars here, yet that sound you (don't) hear is the lack of consumer outrage or corrective action by regulators.