A security researcher reported that Home Depot left access to its internal systems exposed for a year after an employee accidentally published a private access token online. The researcher discovered the exposed token and attempted to alert Home Depot privately, but his warnings were ignored for several weeks. The issue was only fixed after TechCrunch contacted company representatives last week.
Security researcher Ben Zimmermann explained that in early November he found a GitHub access token belonging to a Home Depot employee that had been exposed earlier in 2024. Upon testing, Zimmermann confirmed the token granted access to hundreds of Home Depot’s private source code repositories on GitHub, even allowing modifications to their contents. The keys also provided access to the company’s cloud infrastructure, including order fulfillment and inventory management systems, as well as code development pipelines.
Zimmermann stated he sent multiple emails to Home Depot but received no reply. He also attempted to contact the company’s chief information security officer via LinkedIn without success. The researcher noted he has disclosed similar exposures to other companies recently, all of whom thanked him for his findings. He said Home Depot was the only company that ignored him.
Since Home Depot lacks a formal method for reporting security flaws, such as a vulnerability disclosure program, Zimmermann contacted TechCrunch to help resolve the exposure. When reached on December 5, Home Depot spokesperson George Lane acknowledged the initial email but did not respond to follow-up requests for comment. The exposed token has since been removed from online access, and its permissions were revoked shortly after TechCrunch’s outreach.
TechCrunch also asked Home Depot if it has the technical capability, through logs, to determine whether anyone else used the token during its months of exposure to access internal systems. No response was received.