I've seen several times people recommending to buy monero on Shapeshift/Poloniex, transfer to their wallet and then transfer again to another wallet. All transactions that happen that way are easily linked.
I will deanonymize some transactions here so you can see for yourself, but first, I will try to explain the basics with an example:
When you have 123 moneros, this value is spread in your wallet as addresses with balances that are multiples of powers of 10 (like 40, 2, 0.05). Lets assume your wallet has 3 addresses; one with 100 moneros, other with 20 and other with 3. If these 123 moneros are send, each of those 3 addresses is individually mixed with addresses with the same balance belonging to other users. It would be like a transaction made of 3 subtransactions in this case. Addresses that help with the mixing are chosen randomly and are, therefore, expected to have been funded randomly over the time, each in a different block.
The flaw is that there is a difference between your wallet and the wallets containing those addresses that help with the mixing: Your wallet always takes part in all subtransactions of a transaction it sends, while the others do not. Therefore, if your wallet received those 123 moneros in a single deposit, all the 3 addresses (100, 20 and 3) will be from the same block, when they should have been from blocks randomly distributed over the time like the others. Consequently, the sender, you, is revealed. Two addresses from the same block is enough to reveal the sender.
OK. Lets deanonymize something. I just opened a blockchain explorer, took a look, and one of the first transactions I saw was not anonymous: http://moneroblocks.info/tx/0158c44a5a011501a020ded08a8676154f6cb88039feeedadf02b7a7ba22d0d9 Notice how the values 5 and 600, and maybe others, came from block 120867. Now, we know the sender owns all output addresses from transaction 6cfea05aab60954f5904013d56fb4a40b9048cc81940f52ab51de0286a42e269. This is easy to automate, and there is a domino effect: now that the sender is known, all transactions he helped mix in the past are weakened, and so on. Even when the addresses are not from the same block, if they are from blocks that are too close, like if you received several deposits over a weak, there will be a strong correlation, opening the door for blacklists.
That is why, in its current implementation, Monero is only anonymous if you have an aged wallet that have received a couple of deposits spread over the time, which I guess is not the case for a lot of users.
better discussion in this thread