Some guy bought Chipotle's 'HR website' for $30

Bloomberg/Inside Chipotle documentary

A web domain Chipotle Mexican Grill used in emails to potential employees for months had a big security problem: The company didn't own it.

According to cybersecurity researcher Brian Krebs, people applying for positions with the company through its careers portal received automated emails back from "chipotle@chipotlehr.com."

Except chipotlehr.com is not owned by Chipotle. It's owned by Michael Kohlman, an IT expert who noticed the flaw and bought the domain for $30.

Though anyone setting up an automated email could set the reply-address to whatever email they want, Chipotle's use of a domain name it didn't own carried with it plenty of opportunities for cybercriminals.

“In [a] nutshell, everything that goes in email to this HR system could be grabbed, so the potential for someone to abuse this is huge,” Kohlman told Krebs, in a post on his security blog. “As someone who has made a big chunk of their career defending against cyber-attackers, I’d rather see Chipotle and others learn from their mistakes rather than cause any real damage.”

Kohlman, who purchased the unregistered domain and placed a message on it saying it "is NOT the Chipotle Human Resources Page," told Krebs he'd gladly turn over the domain to Chipotle if the company wanted it. But since registering, Kohlman has received plenty of emails from potential Chipotle applicants that could have been used to create mischief, according to Naked Security.

For example, a cyber criminal could have stolen all kinds of personal information from inbound emails, or worse, emailed them back posing as Chipotle HR to request social security numbers, bank information, and other sensitive information.

Tech Insider reached out to Chipotle for comment, but has not yet received a response. However, Chipotle spokesperson Chris Arnold responded to Krebs in a statement, dismissing the security flaw as a "non-issue":

“The chipotlehr.com domain is not a functional address and never has been,” Arnold wrote in his statement. “It never had any operational significance, and never served to solicit or accept any kind of response. So there has never been a security risk of any kind associated with this. That address is being changed to careers.chipotle.com (a domain that we do own), but this has never been functional and is really a non-issue.”