Home Depot exposed access to internal systems for a year, says researcher

A security researcher said Home Depot exposed access to its internal systems for a year after one of its employees published a private access token online, likely by mistake. The researcher found the exposed token and tried to privately alert Home Depot to its security lapse but was ignored for several weeks. The exposure is now fixed after TechCrunch contacted company representatives last week. Security researcher Ben Zimmermann told TechCrunch that, in early November, he found a published GitHub access token belonging to a Home Depot employee, which was exposed sometime in early 2024. When he tested the token, Zimmermann said that it granted access to hundreds of private Home Depot source code repositories hosted on GitHub and allowed the ability to modify their contents. The researcher said the keys allowed access to Home Depot’s cloud infrastructure, including its order fulfillment and inventory management systems, and code development pipelines, among other systems. Home Depot has hosted much of its developer and engineering infrastructure on GitHub since 2015, according to a customer profile on GitHub’s website. Zimmermann said he sent several emails to Home Depot but didn’t hear back. Nor did he get a response from Home Depot’s chief information security officer, Chris Lanzilotta, after sending a message over LinkedIn. Zimmermann told TechCrunch that he has disclosed several similar exposures in recent months to companies, which have thanked him for his findings. “Home Depot is the only company that ignored me,” he said. Given that Home Depot does not have a way to report security flaws, such as a vulnerability disclosure or bug bounty program, Zimmermann contacted TechCrunch in an effort to get the exposure fixed. When reached by TechCrunch on December 5, Home Depot spokesperson George Lane acknowledged receipt of our email but did not respond to follow-up emails asking for comment. The exposed token is no longer online, and the researcher said the token’s access was revoked soon after our outreach. We also asked Lane if Home Depot has the technical means, such as logs, to determine if anyone else used the token during the months it was left online to access any of Home Depot’s internal systems. We did not hear back. Topics cybersecurity, data breach, Exclusive, GitHub, home depot, Security Zack Whittaker Security Editor Zack Whittaker is the security editor at TechCrunch. He also authors the weekly cybersecurity newsletter, this week in security. He can be reached via encrypted message at zackwhittaker.1337 on Signal. You can also contact him by email, or to verify outreach, at zack.whittaker@techcrunch.com.

View Bio Dates TBD Locations TBA Plan ahead for the 2026 StrictlyVC events. Hear straight-from-the-source candid insights in on-stage fireside sessions and meet the builders and backers shaping the industry. Join the waitlist to get first access to the lowest-priced tickets and important updates.

Waitlist Now Most Popular Google launched its deepest AI research agent yet — on the same day OpenAI dropped GPT-5.2 Julie Bort Disney hits Google with cease-and-desist claiming ‘massive’ copyright infringement Aisha Malik OpenAI fires back at Google with GPT-5.2 after ‘code red’ memo Rebecca Bellan Marco Rubio bans Calibri font at State Department for being too DEI Julie Bort SpaceX reportedly planning 2026 IPO with $1.5T valuation target Sean O'Kane Claude Code is coming to Slack, and that’s a bigger deal than it sounds Rebecca Bellan Creator IShowSpeed sued for allegedly punching, choking viral humanoid Rizzbot Dominic-Madori Davis