Oh that's just crazy. I just clicked that link but didn't click Confirm because ?u= is someone else's user ID.

What's sad is that because it's numeric, you can run down a whole list of IDs, opting people out or in.

So what's k stand for, crc32() or something like that on the u parameter?

You should never expose internal incremental user ids in URLs like these. Have a combination of guids that links to the user id in your database.