Home Depot Internal Systems Exposed For A Year

Home Depot accidentally exposed access for some of its internal systems for approximately a year after an employee published a private access token to the public internet, according to a security researcher. Live tokens included deep access across corporate developer platforms and cloud services, the researcher, who went by Zimmermann, said. “The full scope of that would be source code tampering (in operation), and likely up to supply chain compromise at least.” Attempts to privately warn the company were said to have gone unanswered for weeks.

What the leaked token could accomplish across systems

Testing the token allowed Zimmermann to access hundreds of private source code repositories living on GitHub, including write-level permissions that could have permitted changes to production-bound code. The same credentials also facilitated access to cloud infrastructure associated with order fulfillment, inventory management, and the development pipelines for code — all systems critical to retail operations and logistics.

Home Depot has employed GitHub for hosting developer and engineering projects for several years, according to a company profile on the GitHub website. If the researcher’s claims are true, that combination of source code access and pipeline permissions adds up to a classic software supply chain risk: An attacker might manipulate code discreetly, sneak malevolent changes through build systems, and then dip them into applications or tooling without notice.

Disclosure Attempts And Corporate Silence

The researcher said he got no response after sending several emails to security contacts and after reaching out via LinkedIn directly to the company’s chief information security officer, Chris Lanzilotta. The company did not answer questions about whether logging and telemetry could be used to verify whether others used the token while it was exposed or if the credentials have since been revoked.

So far there’s no public evidence that customer data was accessed, or anything nefarious took place. Even so, the situation underscores a challenge that many large organizations have to address: How fast incoming vulnerability reports are triaged, validated, and fixed when they come in outside of formal bug bounty channels.

Why It Matters for Supply Chain Security

Source code and CI/CD access merge into what is arguably one of the most severe security vulnerabilities. The breach of SolarWinds, for instance, illustrated the way tampering at the build stage can lead to cascading compromise downstream. The Codecov breach was a perfect example of how one tainted piece of software can give attackers access to hundreds or thousands of environments. Car and utility companies, as well as tech firms, have similarly suffered from leaked keys being placed on public repos, giving a glimpse of how something as simple as a stray credential could open all your enterprise doors.

Before we get to the identity and access management/breached password part (red 🙂 see what I did there?), industry research reminds everyone that exposed or stolen credentials are among the most commonly seen initial access vectors. According to the Verizon Data Breach Investigations Report (DBIR), stolen credentials lead to a significant portion of breaches, especially in web and application environments. IBM’s Cost of a Data Breach reports have linked slow detection times and more expensive remediation to cases in which credentials were deployed that are embedded in code or automation.

Home Depot’s history of a large payment-card breach, which was linked to compromised credentials from a third party, shows how access vulnerabilities can snowball into business impact. Though the current report focuses on access for developers and cloud services, rather than point-of-sale systems, “the operational risks — of a disruption, fraud, or tampered software in some other way — are equally high,” he said.

How this could be fixed with practical safeguards

Short-term remediation steps for exposed tokens

• Invalidate exposed tokens, rotate dependent secrets, and reset sessions.
• Review logs across GitHub.com, cloud providers, and CI/CD systems.
• Conduct selective audits of repository commit histories and pipeline artifacts to identify unauthorized changes.
• Enable signed/authenticated commits and verified builds to strengthen provenance checks.

Long-term access controls and cloud guardrails

• Enforce least privilege with short-lived credentials and identity federation (e.g., OpenID Connect) to mint ephemeral tokens per workflow.
• Enable secret scanning and push protection; apply repository rules, branch protections, CODEOWNERS reviews, and required status checks.
• In cloud environments, use IAM boundaries, service control policies, and time-bound access to prevent overpermissioned tokens from becoming skeleton keys.

Establish clear vulnerability disclosure channels

• Publish a public vulnerability disclosure policy and host a security.txt file.
• Participate in coordinated bug bounty programs via platforms such as HackerOne or Bugcrowd.
• Follow federal guidance from CISA; private-sector adoption is increasing because the model is effective.

What to watch next as Home Depot evaluates impact

Specific identifiers that they are affected include the token being verified as invalidated, along with scope information and the outcome of a third-party forensic review. Should code or pipeline meddling be ruled out, higher-level lessons learned and control changes are often published by organizations in an effort to regain developers’ and partners’ trust.

If personal data systems were accessed, regulators such as consumer protection and state attorneys general might take an interest, but formal notification requirements would be contingent on the kind of data that was actually accessed.

In any case, the episode is a timely reminder: in a cloud-and-DevOps world, secrets hygiene and responsive disclosure programs are as much core to retail operations as inventory and logistics.