Home Depot(US:HD) TechCrunch·2025-12-12 16:42Core Insights - Home Depot experienced a significant security lapse when an employee inadvertently published a private access token online, exposing internal systems for approximately one year [1][2] - The exposed token provided access to numerous private source code repositories and critical cloud infrastructure, including order fulfillment and inventory management systems [2][3] - Despite attempts by a security researcher to notify Home Depot about the exposure, the company did not respond until contacted by TechCrunch, after which the issue was promptly addressed [4][5] Security Exposure Details - The access token was discovered by security researcher Ben Zimmermann in early November 2024, allowing him to access and modify hundreds of private repositories on GitHub [2] - Home Depot has utilized GitHub for hosting its developer and engineering infrastructure since 2015, which raises concerns about the security of its systems [3] - The researcher reported that Home Depot lacks a formal process for reporting security vulnerabilities, such as a bug bounty program, which contributed to the delay in addressing the issue [5] Company Response - After TechCrunch's intervention, Home Depot acknowledged the issue, and the exposed token was revoked shortly thereafter [5] - Home Depot's chief information security officer did not respond to the researcher's outreach via LinkedIn, highlighting a lack of communication regarding security concerns [4] - There was no follow-up from Home Depot regarding whether any unauthorized access occurred during the period the token was exposed [6]