Chipotle’s email mistake could’ve been costly

Burrito giant Chipotle must have said “No thanks,” when it was asked, “Do you want to buy your own domain for a few dollars extra?” 

The fast casual restaurant’s HR department made a serious error according to Krebs on Security. One of the site’s readers explained that when he applied for a job to the company, he emailed his resume to the “” address that he had received emails from.

The problem is, despite its emails appearing to come from the site, the company never actually owned it. So the reader was able to pay $35 to get the site himself.

Essentially, that means that anyone who ignored the instructions not to reply to that address would have been corresponding with the applicant, and not Chipotle’s HR department.

Chipotle seemed to not care: Even after the applicant offered to hand over the domain free of charge, Chipotle declined saying that it wasn’t soliciting email for that address and never had any interest in owning it anyway.

Dangers of ‘do not reply’

As Krebs observes, this kind of attack has been used in the past. The owner of “” was overloaded with emails containing private information for companies several years back.

Lesson for IT pros: If you’re going to have email accounts that are designed to send and not receive email, just set up an account and never check it or pony up a few bucks for the domain. That way, you can avoid losing customers’ or potential employees’ private info.

Make Smarter Tech Decisions

Get the latest IT news, trends, and insights - delivered weekly.

Privacy Policy