OPSEC is hard. Even people for whom it's a matter of life and death fail at it routinely. Angry trolls even more so. Your first message may be anonymous, but by your third message there's a good chance someone dedicated could find you if they cared enough.
VPN providers keep logs even when they say they don't, your browser transmits an often unique fingerprint, vulnerabilities allow disclosing real ip, and so on. Even darknet market operators with all the reasons for trying to be anonymous and paranoid get outed. It's just a matter of how much resources it takes.
Why would a VPN provider disclose customer info to a random third party? Why would you assume that the majority of VPN providers lie to customers? Why do you think people who want to stay anonymous don't know how to throw off browser fingerprinting?
VPN providers often don't run their own networks, but instead run on other ISP networks.
Those underlying ISPs have data that can be used to correlate (with a scary amount of accuracy in a remarkably short space of time) your flow to the VPN server against a flow from the VPN server to a remote host.
Without exaggerating, lives have been saved through this technique. Once the technology exists for one purpose, it can be repurposed very easily.
You buy it from one of the vendors that tracks people...
There are literally businesses out there that gives you a snippet to embed in your site, and then they employ all the tricks of tracking to give you email, name, address, etc.
It's not perfect every time, but probably more that you would like. And I wouldn't be surprised if incognito mode or VPN isn't always enough to disappear.
Like I said, all existing tracking methods can be fooled. Poisoned data isn't worth much. People who want anonymity know how to completely throw off commercial trackers to the point where they are useless.
Yes it does, you are mistaken. An IP does not identify you if it's a proxy server or a VPN or a Tor node. All existing tracking methods can be fooled.