"Burrito" chain Chipotle has been using an internet domain for its HR emails that it has no control over.

IT pro Michael Kohlman found that the US fast-food giant was stamping @chipotlehr.com addresses on emails sent to those who applied for jobs via its website. The form response, sent to applicants, came with instructions not to reply to the "from" address.

This, apparently, was because Chipotle did not actually own the chipotlehr.com domain at the time and any messages sent to the address would simply return a DNS error.

Kohlman told Krebs on Security that when he sent a reply message to the domain, he received the error response and quickly realized the chipotlehr.com domain had never been registered. Anyone who did claim the dot-com would begin receiving any replies intended for the domain.

This, obviously, could pose a security risk as a malicious person who owned the domain could have access to the emails job-seekers had sent to address believing they were contacting a corporate human resources department. Kohlman noted that many of the emails included requests for password help, saying "the potential for someone to abuse this is huge."

Kohlman said he registered the chipotlehr.com domain and indeed received emails intended for Chipotle's human resources department. According to Kohlman, Chipotle has not asked for control of the domain despite his offer to transfer control over for free.

The domain now directs to a landing page that reads "This is NOT the Chipotle Human Resources Page" and a WHOIS lookup lists the domain as "transfer prohibited" by the registrar. The report noted Chipotle now uses a different domain, which it does own, as the sent mail address for HR inquiries.

Chipotle has yet to respond to a Reg request for comment on the matter. ®

What are your email cockup and horrors? Share your tales in the comment section below.