Home Depot systems exposed for a year due to employee error

Home Depot experienced a significant security lapse for approximately one year after an employee inadvertently published a private access token online. Security researcher Ben Zimmermann discovered the exposed token and attempted to notify the company of the vulnerability, but his efforts were initially ignored. The issue was only resolved after TechCrunch intervened, as reported by TechCrunch.

The exposed GitHub access token, belonging to a Home Depot employee, was found by Zimmermann in early November and had likely been public since early 2024. Upon testing, Zimmermann found the token granted access to hundreds of private Home Depot source code repositories, allowing for modifications. The token also provided access to critical internal systems, including order fulfillment, inventory management, and code development pipelines. Zimmermann reported sending multiple emails and a LinkedIn message to Home Depot and its chief information security officer without receiving a response.

This incident highlights the critical need for robust vulnerability disclosure programs within large corporations. The prolonged period the token remained active raises concerns about potential unauthorized access to sensitive internal data and systems, underscoring the importance of prompt responses to security alerts and comprehensive monitoring of cloud-based assets.

Source: TechCrunch