Applying for jobs can be painful, but at least your interactions with “human resources” don’t put you at risk of anything worse than dashed hopes.
Actually, that’s not the case for those applying for a role at Chipotle. Until recently, the giant Mexican fast food restaurant chain was putting its job applicants at risk of identity theft and phishing attacks.
That’s because Chipotle was sending emails to new job applicants from an email address using a domain – chipotlehr.com – it didn’t own.
The domain wasn’t owned by anyone, in fact, until an unemployed IT worker applied for a job at Chipotle and found out the chipotlehr.com domain wasn’t registered, and bought it for $30.
The IT worker, Michael Kohlman, tipped off security blogger Brian Krebs, who went to work and did what he does so well – exposing just how badly a major company has bungled security.
Once Kohlman owned the domain, he started receiving all emails people sent to firstname.lastname@example.org, which could have been disastrous if a cybercrook had got to the domain first.
If he’d wanted to, Kohlman could have stolen personal information from those job applicants such as their names, email addresses, phone numbers, and so on.
Or he could have used the email@example.com email to go phishing for more information from the applicants, perhaps by asking them for Social Security numbers or bank information for supposed “background checks.”
There are many ways the domain could have been abused in the wrong hands, as Kohlman told Krebs:
In nutshell, everything that goes in email to this HR system could be grabbed, so the potential for someone to abuse this is huge.
Chipotle had never owned the domain – it was just using the email address for emails that it told job applicants not to reply to.
But many people did reply to those emails, or emailed an address on the chipotlehr.com domain in hopes of finding someone at Chipotle HR.
Kohlman said he discovered the unregistered domain when he replied to the email he received after submitting an application and got an error message.
Kohlman went to Chipotle and offered to give them the chipotlehr.com domain for free, but they expressed no interest.
Now the website shows only a black screen with the message:
This is NOT the Chipotle Human Resources Page
Perhaps most concerning is the fact that Chipotle still doesn’t see how sending emails from an unregistered domain was a security no-no.
In an emailed statement, Chipotle told Krebs that the chipotlehr.com domain was “never functional,” and therefore there has “never been a security risk of any kind associated with this,” and it is “really a non-issue.”
Charitably, Kohlman said he wanted to help Chipotle and others “learn from their mistakes,” rather than causing Chipotle any “real damage.”
They didn’t get the message.
Maybe Chipotle – a $3.5 billion company that says it’s “on a mission to change the way people think about and eat fast food” – should start by hiring someone to think about security for a change.