- Home Depot exposed a GitHub token for a year, providing access to critical internal systems
- The researchers’ warnings were ignored until media intervention, after which the token was revoked.
- Similar leaks on GitHub/GitLab show widespread risks from hardcoded secrets and misconfigured repositories.
Home Depot kept access to its internal systems open for more than a year to anyone who knew where to look, experts warned.
Security researcher Ben Zimmermann recently found a released GitHub access token belonging to a Home Depot employee.
The token was exposed, likely by mistake, in early 2024, and provided access to “hundreds of Home Depot’s private source code repositories” hosted on GitHub. Zimmermann said the token allows him to modify the contents of these repositories.
A common problem
The tokens gave the researcher access to the company’s cloud infrastructure, order fulfillment and inventory management systems, and code development pipelines.
Zimmermann also said he tried to contact Home Depot multiple times and through different channels, but was met with silence.
It was only after reporting his findings to TechCrunch Was the hole plugged when the publication contacted the company, which confirmed that the token was removed in early December and access revoked.
GitHub access tokens are often left behind during software development and therefore present a unique opportunity for hackers looking for an easy way to gain access to company infrastructure.
A security researcher recently discovered thousands of secrets in public GitLab Cloud repositories, demonstrating how software developers inadvertently expose their own projects to cyberattacks. Luke Marshall revealed how he scanned GitLab Cloud, Bitbucket and Common Crawl, looking for things like API keys, passwords or tokens – and unfortunately discovered a lot.
And in April 2025, security researchers GreyNoise warned that Singaporean threat actors were looking for organizations in the country that could be hacked and exploited. At that time, cybercriminals were increasingly looking for exposed Git configuration files.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
