Home Depot Data Breach: Internal Systems Exposed for a Year
Home Depot Security Breach: Year-Long Exposure of Internal Systems
A security vulnerability at Home Depot resulted in a year-long exposure of its internal systems. This occurred after an employee inadvertently published a private access token online.
Discovery and Initial Attempts at Notification
The exposed token was discovered by security researcher Ben Zimmermann in early November. He immediately attempted to privately notify Home Depot of the security lapse, but his initial alerts were reportedly disregarded for several weeks.
Zimmermann’s discovery dates back to early 2024, when the access token belonging to a Home Depot employee became publicly available on GitHub.
Extent of Access Granted by the Token
Testing revealed that the compromised token provided access to hundreds of Home Depot’s private source code repositories hosted on GitHub. Furthermore, it permitted modifications to the contents of these repositories.
The keys granted access extended beyond source code, encompassing Home Depot’s cloud infrastructure. This included critical systems such as order fulfillment, inventory management, and code development pipelines.
Since 2015, Home Depot has increasingly relied on GitHub for its developer and engineering infrastructure, as highlighted in a profile on GitHub’s official website.
Lack of Response from Home Depot
Despite multiple email attempts to reach Home Depot, Zimmermann received no response. He even contacted the company’s chief information security officer, Chris Lanzilotta, via LinkedIn, but this effort also proved unsuccessful.
Zimmermann noted that Home Depot’s lack of response was unusual, as other companies he had alerted to similar exposures had expressed gratitude for his findings.
Escalation to TechCrunch
Due to the absence of a formal vulnerability disclosure or bug bounty program at Home Depot, Zimmermann ultimately contacted TechCrunch to facilitate a resolution.
Upon being contacted by TechCrunch on December 5th, Home Depot spokesperson George Lane acknowledged the inquiry but did not provide further comment in response to follow-up emails.
Resolution and Remaining Questions
Following TechCrunch’s outreach, the exposed token was removed from public access, and its associated permissions were revoked.
However, questions remain regarding whether the token was exploited during the months it was publicly available. TechCrunch inquired whether Home Depot possesses the necessary logs to determine if unauthorized access occurred, but did not receive a response.
Key Takeaways
- A single exposed access token led to significant potential security risks for Home Depot.
- The company’s lack of a vulnerability disclosure program hindered timely resolution.
- The incident highlights the importance of proactive security measures and responsive communication.
