- Home Depot exposed a GitHub token for a year, granting access to critical internal systems
- The researchers’ warnings were ignored until the media intervened, after which the token was revoked.
- Similar leaks on GitHub/GitLab show widespread risks due to hard-coded secrets and misconfigured repositories.
Home Depot kept access to its internal systems open for more than a year to anyone who knew where to look, experts warned.
Security researcher Ben Zimmermann recently found a published GitHub access token that belonged to a Home Depot employee.
The token was exposed, likely by mistake, in early 2024 and was granted access to “hundreds of private Home Depot source code repositories” hosted on GitHub. Zimmermann said the token allowed him to modify the content of those repositories.
A common problem
The tokens granted the researcher access to the company’s cloud infrastructure, order fulfillment and inventory management systems, as well as code development pipelines.
Zimmermann also said he tried to contact Home Depot on multiple occasions and through different channels, but found no response.
Only after reporting your findings to TechCrunch It was the hole plugged, when the publication contacted the company, which confirmed that the token was removed in early December and access was revoked.
GitHub access tokens are often left behind during software development and as such present a unique opportunity for hackers looking for an easy way to access corporate infrastructure.
A security researcher recently found thousands of secrets in public GitLab Cloud repositories, demonstrating how software developers inadvertently put their own projects at risk of cyberattacks. Luke Marshall has revealed how he scanned GitLab Cloud, Bitbucket and Common Crawl for API keys, passwords or tokens, and unfortunately discovered quite a few things.
And in April 2025, security researchers GreyNoise warned that Singapore threat actors were looking for organizations in the country that could be raided and exploited. At that time, cybercriminals were increasingly looking for exposed Git configuration files.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
