Home Depot reportedly left internal systems at risk for over a year

News
By published

Security researcher found a GitHub token which could have caused major Home Depot headaches

Home Depot Presidents' Day sales
(Image credit: Shutterstock)
  • Home Depot exposed a GitHub token for a year, granting access to critical internal systems
  • Researcher warnings were ignored until media intervened, after which the token was revoked
  • Similar leaks across GitHub/GitLab show widespread risks from hardcoded secrets and misconfigured repos

Home Depot kept access to its internal systems open for more than a year, to anyone who knew where to look, experts have warned.

Security researcher Ben Zimmermann recently found a published GitHub access token which belonged to a Home Depot employee.

The token was exposed, most likely by mistake, in early 2024, and granted access to “hundreds of private Home Depot source code repositories” hosted on GitHub. Zimmermann said the token allowed him to modify the contents of those repositories.

Catch the price drop- Get 30% OFF for Enterprise and Business plans

Catch the price drop- Get 30% OFF for Enterprise and Business plans

The Black Friday campaign offers 30% off for Enterprise and Business plans for a 1- or 2-year subscription. It’s valid until December 10th, 2025. Customers must enter the promo code BLACKB2B-30 at checkout to redeem the offer.

View Deal

A common problem

The tokens granted the researcher access to the company’s cloud infrastructure, order fulfillment and inventory management systems, as well as code development pipelines.

Zimmermann also said he tried reaching out to Home Depot on multiple occasions and through different channels, but was met with silence.

Only after reporting his findings to TechCrunch was the hole plugged, when the publication reached out to the company, which confirmed the token was removed in early December, and access was revoked.

GitHub access tokens often get left behind during software development, and as such present a unique opportunity for hackers looking for an easy way into corporate infrastructure.

A security researcher recently found thousands of secrets in public GitLab Cloud repositories, demonstrating how software developers are inadvertently putting their own projects at risk of cyberattacks. Luke Marshall has revealed how he scanned GitLab Cloud, Bitbucket, and Common Crawl, for things like API keys, passwords, or tokens - and unfortunately uncovered quite a lot.

And in April 2025, security researchers GreyNoise warned that Singaporean threat actors were on the hunt for organizations in the country that can be broken into and exploited. At that time, cybercriminals were increasingly scanning for exposed Git configuration files.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.