- Home Depot unveiled a GitHub token for a year, giving access to critical internal systems
- Researchers’ warnings were ignored until the media intervened, after which the token was revoked
- Similar leaks across GitHub/GitLab show widespread risks from hardcoded secrets and misconfigured repos
Home Depot kept access to its internal systems open for more than a year to anyone who knew where to look, experts have warned.
Security researcher Ben Zimmermann recently found a published GitHub access token that belonged to a Home Depot employee.
The token was exposed, most likely by mistake, in early 2024, providing access to “hundreds of private Home Depot source code repositories,” hosted on GitHub. Zimmermann said the token allowed him to change the contents of those repositories.
A common problem
Tokens gave the researcher access to the company’s cloud infrastructure, order fulfillment and inventory management systems, as well as code development pipelines.
Zimmermann also said he tried to reach out to Home Depot on multiple occasions and through various channels, but was met with silence.
Only after reporting his findings to TechCrunch the loophole had stopped when the publication reached out to the company, which confirmed that the token was removed in early December and access revoked.
GitHub access tokens are often left behind during software development and as such present a unique opportunity for hackers looking for an easy way into corporate infrastructure.
A security researcher recently found thousands of secrets in public GitLab Cloud repositories, demonstrating how software developers are inadvertently putting their own projects at risk of cyberattacks. Luke Marshall has revealed how he scanned GitLab Cloud, Bitbucket and Common Crawl for things like API keys, passwords or tokens – and unfortunately revealed quite a lot.
And in April 2025, security researchers warned GreyNoise that Singaporean threat actors were on the hunt for organizations in the country that can be breached and exploited. At the time, cybercriminals were increasingly scanning for exposed Git configuration files.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
