Home / Technology / Home Depot Systems Exposed for a Year
Home Depot Systems Exposed for a Year
12 Dec, 2025
Summary
- Access token for Home Depot's internal systems was exposed online for a year.
- Researcher's attempts to privately notify Home Depot were ignored for weeks.
- The security lapse was fixed only after media intervention.
- The exposed token granted access to hundreds of private source code repositories.
A significant security vulnerability at Home Depot, where an employee's private access token was exposed online for about a year, has now been addressed. A security researcher identified the token, which granted access to hundreds of private source code repositories on GitHub and Home Depot's cloud infrastructure, including order fulfillment and inventory systems.
The researcher attempted to privately notify Home Depot and its Chief Information Security Officer multiple times via email and LinkedIn, but these communications were reportedly ignored for several weeks. Home Depot currently lacks a formal channel for reporting security flaws, such as a bug bounty program.
Following the researcher's outreach to the media, Home Depot acknowledged the issue. The exposed token was quickly removed, and its access revoked shortly after the company was contacted. It remains unclear whether other parties accessed Home Depot's internal systems using the token during the extensive exposure period.
