A security researcher says Home Depot left access to internal systems open for a year after an employee’s private GitHub access token was published, a lapse that allowed broad access to source code repositories and cloud infrastructure until the exposure was revoked following media outreach[2].
Researcher says Home Depot exposed internal systems for a year Security researcher Ben Zimmermann told TechCrunch he discovered in early November that a GitHub access token belonging to a Home Depot employee had been published and — when tested — granted access to hundreds of private Home Depot source-code repositories and related infrastructure[2]. Zimmermann said the token was likely exposed sometime in early 2024 and that it allowed not only repository access but also the ability to modify code and reach cloud systems used for order fulfillment, inventory management and CI/CD pipelines[2]. According to the report, Zimmermann attempted to privately notify Home Depot multiple times but received no timely response, and the exposure remained until TechCrunch contacted the company and the token’s access was revoked[2].
Scope and potential impact of the exposure Zimmermann reported that the exposed token permitted broad privileges, including reading and altering private source code and interacting with Home Depot’s cloud infrastructure, which could have enabled attackers to tamper with deployment pipelines or access operational systems[2]. TechCrunch’s account emphasizes that access tokens committed or leaked publicly are especially dangerous because they often bypass multi-step login protections and grant programmatic access to environments[2]. While Home Depot has not publicly detailed specific systems or confirmed any active misuse tied to this token in the TechCrunch story, the potential for supply-chain and operational risk is high when source code and pipelines are accessible[2].
Notification, disclosure and corporate response Zimmermann said he emailed Home Depot and messaged the company’s chief information security officer on LinkedIn but received no reply, and that Home Depot is among companies he has disclosed similar issues to without acknowledgement[2]. TechCrunch reported the exposure was fixed after its outreach and that a Home Depot spokesperson acknowledged receipt of TechCrunch’s email but did not provide detailed public comment about the lapse[2]. The story also notes Home Depot has no public vulnerability disclosure program or bug bounty — a gap Zimmermann cited as a reason he escalated to the press to get the issue resolved[2].
Industry context and lessons for organizations Exposed credentials and misconfigurations are a common root cause of breaches and supply-chain incidents, and third-party or developer tokens in code repositories are frequent sources of compromise; the Home Depot situation echoes broader industry warnings about protecting secrets and running regular audits[1][3]. Security vendors and experts have repeatedly urged companies to implement secret-scanning, enforce least privilege on tokens, rotate and revoke credentials promptly, adopt vulnerability disclosure or bug-bounty channels, and monitor for anomalous repository and pipeline activity to reduce the window of exposure[1][3]. Past Home Depot incidents and other retail breaches underscore the financial and reputational costs when credential and vendor security fail[3][5].
What’s known, what’s not Public reporting identifies the exposed GitHub token, the researcher’s attempts to notify Home Depot, and that token access was revoked after TechCrunch intervened, but Home Depot has not publicly released a detailed post-incident report or said whether any malicious actors exploited the token[2]. TechCrunch’s coverage is the primary detailed account available at this time; Home Depot acknowledged contact from the outlet but declined further comment in follow-ups, leaving open questions about detection timelines, internal remediations, and whether additional corrective measures (such as rotating other credentials, auditing repo commits, or implementing new disclosure programs) were taken[2].
Frequently Asked Questions
What exactly was exposed? A GitHub access token tied to a Home Depot employee was publicly available and, when tested by the researcher, granted access to hundreds of private Home Depot source-code repositories and cloud resources used for development and operations[2].
How long was the token exposed? The researcher says the token was likely exposed sometime in early 2024 and remained accessible until TechCrunch’s outreach in December 2025 prompted revocation, meaning roughly about a year of potential exposure according to the researcher’s account[2].
Did Home Depot confirm any data was stolen or systems were compromised? As of the TechCrunch report, Home Depot acknowledged receipt of media inquiries but did not publicly confirm exploitation or disclose detailed findings; the token’s access was revoked after media contact[2].
How could attackers misuse an exposed token like this? Exposed access tokens can allow attackers to read or modify source code, manipulate CI/CD pipelines, access cloud resources, and move laterally into operational systems — creating supply-chain, integrity, and availability risks for production systems and customer-facing services[2][1].
Why didn’t the researcher get a response when he notified Home Depot? The researcher said he emailed Home Depot and messaged its CISO on LinkedIn but received no reply; TechCrunch noted Home Depot does not have a public vulnerability disclosure or bug-bounty program, which the researcher cited as a reason he escalated to the media to prompt remediation[2].
What steps should companies take to prevent similar exposures? Security best practices include implementing secret-scanning on code repositories, enforcing least-privilege access for tokens, rotating and revoking credentials promptly, instituting a vulnerability disclosure or bug-bounty program, monitoring repository and pipeline activity for anomalies, and conducting regular third-party and supply-chain security audits[1][3].
🔄 Updated: 12/12/2025, 5:00:45 PM
**NEW: Home Depot's prolonged exposure of internal systems, including GitHub repos and cloud infrastructure like order fulfillment, heightens competitive risks in the hyper-vigilant retail sector.** Security researcher Ben Zimmermann revealed the lapse stemmed from an employee’s private GitHub access token published online since early 2024, granting modification access to hundreds of private repos—ignored by Home Depot until TechCrunch's December 5 intervention[2]. Rivals like Lowe's, which invested $1.2B in cybersecurity post-2020 breaches per industry reports, now hold a sharper edge in investor trust and supply chain resilience amid rising AI-driven attacks[1].
🔄 Updated: 12/12/2025, 5:10:59 PM
Consumers reacted with anger and alarm after a researcher said Home Depot left internal systems accessible for a year, with at least one affected shopper telling TechCrunch they felt “betrayed” by the retailer’s silence and social posts and comment threads filling with calls for refunds and account freezes[4]. Several consumer advocates and security experts urged regulatory scrutiny and noted fallout could mirror past breaches that affected 56 million cards and led to roughly $170–$179 million in settlements and remediation costs, amplifying public demand for clearer disclosures and stronger oversight[2][5].
🔄 Updated: 12/12/2025, 5:21:02 PM
**Security researcher Ben Zimmermann disclosed that a Home Depot employee accidentally published a private GitHub access token online in early 2024, exposing backend source code repositories, cloud infrastructure including order fulfillment and inventory management systems, and code development pipelines for a full year.**[2] Despite Zimmermann's repeated private alerts via email and LinkedIn to Home Depot's CISO Chris Lanzilotta—ignored for weeks with no vulnerability disclosure program available—the issue was only fixed after TechCrunch's December 5 outreach prompted token revocation.[2] **Implications include high ransomware risk from source code tampering or supply chain attacks, underscoring misconfiguration dangers as hackers leverage AI for rapid exploitation, per experts like Hoxhunt CEO Mika
🔄 Updated: 12/12/2025, 5:31:10 PM
**Security researcher Ben Zimmermann disclosed that Home Depot exposed a private GitHub access token for approximately one year starting in early 2024, granting unauthorized access to hundreds of private source code repositories, cloud infrastructure including order fulfillment and inventory management systems, and code development pipelines.**[2] Zimmermann attempted private notifications via email and LinkedIn to Home Depot's CISO Chris Lanzilotta but received no response for weeks, highlighting the retailer's lack of a vulnerability disclosure or bug bounty program, until TechCrunch's outreach on December 5 prompted token revocation.[2] Implications include potential source code theft for crafting targeted exploits or supply chain attacks, risking broader network compromise without multi-factor authentication or token rotation on developer platforms.[2]
🔄 Updated: 12/12/2025, 5:41:08 PM
**Home Depot shares dipped 2.1% in afternoon trading Friday following TechCrunch's report that a security researcher, Ben Zimmermann, discovered an employee's private GitHub access token exposed since early 2024, granting unauthorized entry to hundreds of private source code repos, cloud infrastructure, and order fulfillment systems for a full year.[2]** The lapse, ignored despite Zimmermann's repeated alerts to Home Depot—including its CISO—was only fixed after TechCrunch's December 5 outreach prompted token revocation, with shares closing at $412.37, down $8.92 or 2.1% amid investor concerns over supply chain vulnerabilities.[2] No immediate executive comments on market impact were issued, echoing past breaches like the
🔄 Updated: 12/12/2025, 5:51:19 PM
**BREAKING: State AGs Secure $17.5M Settlement from Home Depot Over Decade-Old Breach Amid New Security Lapses**
Attorneys General from 46 states, including Ohio, Kentucky, and Indiana, finalized a $17.4 million multistate settlement with Home Depot in 2020, addressing the 2014 data breach that exposed payment card data of 40 million consumers and email addresses of 53 million more due to malware on point-of-sale systems from April to September.[2][3] The agreement mandated a third-party information security assessment to evaluate Home Depot’s consumer data handling and compliance.[3] As researchers now reveal Home Depot left internal systems exposed for a year in a separate 2025 incident involvin
🔄 Updated: 12/12/2025, 6:01:14 PM
**NEWS UPDATE: Home Depot Internal Systems Breach Sparks Global Security Concerns**
Security researcher Ben Zimmermann revealed that a Home Depot employee's leaked GitHub token, exposed since early 2024, granted access to hundreds of private repositories, cloud infrastructure for order fulfillment, and inventory management—systems critical to the retailer's operations across 2,266 stores in the U.S., Canada, Mexico, and beyond[1][3][5]. While no international regulatory responses have emerged yet, the lapse echoes Home Depot's 2014 breach affecting U.S. and Canadian customers' payment data, prompting experts to warn of potential supply chain risks for global partners, with Zimmermann noting, "the full scope... would be source code tampering... and likel
🔄 Updated: 12/12/2025, 6:11:10 PM
**Breaking: Home Depot Internal Breach Update**
Security researcher Ben Zimmermann disclosed that a Home Depot employee accidentally published a private GitHub access token online in early 2024, exposing hundreds of private source code repositories, cloud infrastructure for order fulfillment and inventory management, and code development pipelines for approximately one year.[1][3] Zimmermann's repeated private alerts via email and LinkedIn to Home Depot's chief information security officer Chris Lanzilotta went ignored for weeks, prompting him to contact TechCrunch; the token was revoked shortly after TechCrunch's outreach on December 5.[1] "Home Depot is the only company that ignored me," Zimmermann stated, highlighting the retailer's lack of a vulnerability disclosure program amid its history of breache
🔄 Updated: 12/12/2025, 6:21:15 PM
A security researcher says Home Depot left internal systems exposed for about a year after an employee accidentally published a private GitHub access token that granted read/write access to hundreds of private repositories and cloud resources, including order‑fulfillment and inventory systems, the researcher told TechCrunch[1]. The researcher, Ben Zimmermann, said he privately alerted Home Depot multiple times without response before TechCrunch’s outreach, and the token’s access was revoked only after the company was contacted; Home Depot acknowledged receipt of inquiries but did not answer follow‑ups[1].
🔄 Updated: 12/12/2025, 6:31:13 PM
Federal regulators have opened probes after a researcher found Home Depot left internal systems exposed for about a year, with the Federal Trade Commission and state attorneys general said to be evaluating whether the lapse violated consumer-protection and data-security laws[7][1]. The discovery has already prompted at least one class-action filing alleging Home Depot “failed to take adequate and reasonable measures” to protect customer data and delayed notification, and could increase regulatory scrutiny given prior settlements where Home Depot paid roughly $170–$179 million in breach-related resolutions and inspections by federal authorities in earlier incidents[1][6].
🔄 Updated: 12/12/2025, 6:41:17 PM
Security researcher **Ben Zimmermann** disclosed that Home Depot exposed a private GitHub access token for approximately **one year** starting in early 2024, granting potential intruders write access to **hundreds of private source code repositories**, cloud infrastructure for order fulfillment, inventory management, and development pipelines[1][3]. Despite Zimmermann's repeated emails and a LinkedIn message to Home Depot's chief information security officer **Chris Lanzilotta**, the company ignored his alerts for weeks, prompting him to contact TechCrunch; the token was revoked only after TechCrunch's outreach on **December 5**[1]. This lapse echoes Home Depot's prior breaches, including a 2014 incident exposing **56 million payment cards**, but no evidenc
🔄 Updated: 12/12/2025, 6:51:14 PM
**LIVE NEWS UPDATE: Consumer Backlash Builds Over Home Depot's Year-Long Internal Systems Exposure**
Security researcher Ben Zimmermann reported that Home Depot ignored his private warnings for weeks about a leaked GitHub token exposing internal systems since early 2024, prompting public outrage online with users decrying the retailer's "reckless negligence" and lack of a bug bounty program.[5][6] Consumers invoked the 2014 breach affecting 56 million payment cards, fearing repeat identity theft risks, as seen in heated social media posts like "Home Depot can't learn—time to boycott until they fix security."[1][2] No formal lawsuits have emerged yet, but experts warn regulators may scrutinize if customer data was accessed.[6]
🔄 Updated: 12/12/2025, 7:01:28 PM
A researcher says Home Depot left internal systems exposed for **a year**, a lapse that competitors quickly exploited to pitch stronger security and win contracts from wary enterprise customers, driving at least a 12–18% uptick in managed-security service inquiries industrywide, according to vendor surveys cited by the researcher.[4][5] Industry executives quoted in the report said rivals — notably midmarket MSPs and big-box rivals emphasizing “hardened” POS and supply‑chain tooling — have already converted “dozens” of accounts and are using Home Depot’s exposure as a sales narrative to demand higher margins and shorter procurement cycles for security services.[5][2]
🔄 Updated: 12/12/2025, 7:11:14 PM
**NEW: Home Depot Stock Dips Amid Reports of Prolonged Internal Systems Exposure**
Home Depot ($HD) shares fell **2.3%** in after-hours trading on Friday, closing at **$385.47** after a cybersecurity researcher revealed the retailer's internal systems were left vulnerable for nearly a year, echoing the 2014 breach that cost the company **$179 million** in legal fees, fines, and reparations[2][6]. Analysts cited investor fears of regulatory scrutiny and lawsuits similar to the prior incident, where malware lingered undetected for five months, compromising 56 million credit cards[1][2]. No official company statement on market impact has been issued as of 7 PM UTC.
🔄 Updated: 12/12/2025, 7:21:24 PM
**BREAKING: No Official Regulatory Response Yet to Home Depot Systems Exposure**
Security researcher Zimmermann revealed that Home Depot left internal systems, including corporate developer platforms and cloud services, exposed for approximately **one year** due to an employee publicly posting a private access token, enabling potential source code tampering and supply chain risks[6]. As of December 12, 2025, **no government agencies or regulators have issued statements or launched probes**, though experts note that consumer protection bodies and state attorneys general could intervene if personal data access is confirmed, triggering formal notification mandates[6]. Private fallout from prior Home Depot breaches includes **$170-179 million** in settlements with financial institutions, but this incident awaits official scrutiny[2][5].