• Krebs On Security, Tuesday, November 17, 2015 4:30 AM

Chipotle's human resources department has been using a domain that they don't own to send autoresponder emails to job applicants. KrebsOnSecurity.com reader Michael Kohlman, a professional IT expert, discovered that chipotlehr.com has never been owned or controlled by the corporation after he applied for a job with the company.

When he got the reply from address@chipotlehr.com, he sent a reply and got a bounce message saying his missive was undeliverable. He then searched the domain records, found that it was unowned and bought it. His ownership allowed him to access emails that had been sent back to the HR department. While the HR emails encouraged people not to reply, some people had with questions about their applications or how to use the website.

Chipotle responded saying that there was no security threat since it was never an active email address. Still, they did change the domain that their emails come from.

Read the whole story at Krebs On Security »