A critical cybersecurity lapse at Home Depot allowed access to internal systems for roughly a year, after an employee mistakenly published a private GitHub access token online. Security researcher Ben Zimmermann discovered the exposure in early November 2025 and attempted to alert Home Depot privately, but the company initially did not respond.
The token, which had been exposed since early 2024, granted access to hundreds of private Home Depot repositories hosted on GitHub. According to Zimmermann, it provided full access to the company’s cloud infrastructure, including order fulfillment, inventory management, and code development pipelines.
Zimmermann noted that he reached out multiple times via email and even LinkedIn to Home Depot’s Chief Information Security Officer, Chris Lanzilotta, but received no response. The lack of a formal vulnerability disclosure or bug bounty program at Home Depot left the researcher with no official reporting channel. Ultimately, TechCrunch’s outreach prompted Home Depot to revoke the token and secure the exposed systems.
“Home Depot is the only company that ignored me,” Zimmermann told TechCrunch, contrasting the response from other firms who have thanked him for similar disclosures. The company has not commented on whether any unauthorized parties accessed internal systems during the exposure.
The incident highlights a growing issue in corporate cybersecurity: organizations increasingly rely on cloud-hosted development infrastructure, but many lack formal mechanisms to identify and remediate leaked credentials. Access tokens, if publicly available, can allow attackers to modify code, compromise operational systems, or disrupt critical workflows.
As companies continue to digitize operations and rely on GitHub and other developer platforms, establishing clear vulnerability reporting channels and proactive monitoring becomes essential. Home Depot’s delayed response underscores the risk when such protocols are absent.
Related Laterstack Cybersecurity Stories
Incognito Mode offers less privacy than most people think
12 Steps to Better Cybersecurity in 2025
Salesforce Faces Massive Data Breach and Refuses Hacker Extortion Demand
For inquiries, tips, or submissions: hello@laterstack.com