A critical security oversight at Home Depot left the retail giant’s internal systems potentially vulnerable for approximately one year, according to recent findings by an independent security researcher. The exposure stemmed from an employee inadvertently publishing a private GitHub access token online in early 2024, creating a significant security gap that remained unaddressed despite attempts to alert the company.
The incident highlights the substantial risks organizations face when access credentials are mishandled and the importance of responsive security communication channels.
The Discovery and Scope of the Exposure
Independent security researcher Ben Zimmermann identified the exposed token in November while conducting routine security assessments. Upon testing the token’s capabilities, Zimmermann discovered it provided extensive access to Home Depot’s digital infrastructure, including hundreds of private source code repositories hosted on GitHub.
The security implications were significant. The token granted not only read access but also modification privileges to these repositories, potentially allowing unauthorized changes to critical systems. According to Zimmermann’s assessment, the exposed credentials provided access to several crucial operational components:
- Order fulfillment systems
- Inventory management infrastructure
- Code development pipelines
- Other internal development resources
The potential impact was magnified by Home Depot’s extensive use of GitHub for its engineering infrastructure since 2015, as documented in a customer profile on GitHub’s website. This centralization of resources meant a single compromised token could potentially affect multiple operational systems.
Failed Attempts at Responsible Disclosure
After discovering the vulnerability, Zimmermann followed standard responsible disclosure protocols by attempting to contact Home Depot directly. His efforts included:
- Multiple email communications to Home Depot’s general contact channels
- A direct message to the company’s Chief Information Security Officer, Chris Lanzilotta, via LinkedIn
- Several follow-up attempts over a period of weeks
Despite these repeated efforts, Zimmermann received no response from the company. This lack of engagement stood in stark contrast to his experiences with other organizations, where similar security disclosures had been acknowledged and addressed promptly. In his own words,