Home Depot's internal systems, including its critical GitHub source code repositories and cloud infrastructure, were left exposed for nearly a year due to a mistakenly published private access token. A security researcher, Ben Zimmermann, discovered the vulnerability and repeatedly attempted to alert the retail giant, but his warnings went unheeded for weeks. The significant security lapse was only addressed after TechCrunch contacted Home Depot representatives, leading to the swift revocation of the exposed token.

Zimmermann informed TechCrunch that he identified the exposed GitHub access token, belonging to a Home Depot employee, in early November. The token itself had reportedly been exposed since early 2024. Upon testing, Zimmermann confirmed the token provided extensive access to hundreds of Home Depot's private source code repositories hosted on GitHub, even allowing modifications to their content.

The researcher further detailed that the compromised keys facilitated access to Home Depot's broader cloud infrastructure. This included sensitive systems such as order fulfillment, inventory management, and critical code development pipelines. Home Depot has utilized GitHub extensively for its developer and engineering infrastructure since 2015, as highlighted in a customer profile on GitHub's website.

Home Depot's Unresponsiveness

Despite the severity of the discovery, Zimmermann's attempts to privately notify Home Depot were met with silence. He sent multiple emails to the company without receiving a reply and also reached out to Chris Lanzilotta, Home Depot's Chief Information Security Officer, via LinkedIn, again without a response. Zimmermann noted that Home Depot currently lacks a formal vulnerability disclosure or bug bounty program, which would provide a clear channel for reporting such security flaws.

Zimmermann, who has a track record of disclosing similar exposures to other companies in recent months and receiving their gratitude, stated:

Home Depot is the only company that ignored me.

This lack of response ultimately prompted him to contact TechCrunch, hoping to expedite a resolution to the ongoing exposure.

TechCrunch Intervention Leads to Resolution

Following TechCrunch's outreach to Home Depot on December 5, the exposed token was promptly taken offline, and its access revoked. Home Depot spokesperson George Lane acknowledged TechCrunch's initial email but did not provide further comment or respond to follow-up inquiries regarding the incident.

TechCrunch also sought clarification from Lane on whether Home Depot possesses the technical means, such as comprehensive logs, to ascertain if the token had been exploited by any unauthorized parties during the months it remained accessible online. No response was received regarding this critical query.