A major security lapse at Home Depot put internal systems at risk for nearly a year. A researcher found a private company access token posted publicly online. The token granted deep access to Home Depot’s digital infrastructure.The issue began in early 2024. It remained unaddressed until media inquiry in December 2025. According to TechCrunch, the company initially ignored the researcher’s warnings.

Researcher Finds Unprotected Key to Internal Systems

Security expert Ben Zimmermann discovered the token in early November. It was a GitHub access token belonging to a Home Depot employee. The token was likely published by mistake.Testing confirmed its power. The key provided access to hundreds of private Home Depot source code repositories. It even allowed modifications to that code.This access was extensive. It included cloud infrastructure, order fulfillment, and inventory management systems. Development pipelines were also exposed.Home Depot has relied on GitHub for engineering since 2015. This made the exposure particularly dangerous. A malicious actor could have caused significant harm.

Failed Disclosure Leads to Media Intervention

Zimmermann attempted to report the flaw responsibly. He sent multiple emails to Home Depot security contacts. He received no response for weeks.He also messaged the company’s chief information security officer on LinkedIn. That attempt also failed. The researcher had successfully reported similar issues to other firms.”Home Depot is the only company that ignored me,” Zimmermann stated. The company lacks a formal bug bounty program. This made responsible disclosure difficult.Frustrated, the researcher contacted TechCrunch. The news outlet reached out to Home Depot on December 5. The token was revoked shortly after that contact.It remains unclear if anyone else used the token maliciously. Home Depot did not comment on whether they reviewed access logs. The company spokesperson acknowledged receipt but did not answer follow-up questions.

US Sanctions Maduro Nephews as Tensions Rise Over Migrant Flight Suspension

This Home Depot data breach risk highlights critical gaps in corporate security response. The company’s systems are now secure, but the delayed fix raises serious questions.

Thought you’d like to know

Q1: What was exposed in the Home Depot security incident?

The exposed item was a GitHub access token. This digital key granted access to private company source code and internal systems. It could modify code for order and inventory systems.

Q2: How long was the Home Depot token exposed online?

The token was publicly available for nearly a full year. It was posted in early 2024 and discovered in November 2025. The exposure lasted until early December 2025.

Q3: Did Home Depot know about the problem before the media?

Yes. A security researcher alerted the company weeks before TechCrunch’s report. Home Depot did not respond to multiple private disclosure attempts from the finder.

Q4: What could a hacker have done with the exposed token?

A bad actor could have accessed and altered internal software. This includes systems managing orders and warehouse inventory. The access was broad and potentially very damaging.

Q5: Has Home Depot fixed the security flaw?

Yes. The token was revoked shortly after TechCrunch contacted the company. The public exposure point is now closed, according to the researcher’s findings.

iNews covers the latest and most impactful stories across entertainment, business, sports, politics, and technology, from AI breakthroughs to major global developments. Stay updated with the trends shaping our world. For news tips, editorial feedback, or professional inquiries, please email us at [email protected].

Get the latest news and Breaking News first by following us on Google News, Twitter, Facebook, Telegram , and subscribe to our YouTube channel.