The domain, chipotlehr.com, was subsequently purchased by unemployed IT worker Michael Kohlman for $30, who in turn tipped off security blogger Brian Krebs to the situation. Kohlman said once he bought the domain he began receiving all emails sent to the domain.
“If he’d wanted to, Kohlman could have stolen personal information from those job applicants such as their names, email addresses, phone numbers, and so on,” according to the article. Kohlman offered to give Chipotle the domain for free, but the company refused. Chipotle told Krebs in an email there was no security risk because the domain was never functional and described the matter as a “non-issue.”