Home Depot faced a significant security issue after a private access token belonging to an employee was unintentionally published on GitHub. Security researcher Ben Zimmermann discovered this token in early November 2025, which had been exposed for about a year, likely since early 2024. The token provided access to hundreds of private source code repositories and allowed modifications. It also granted entry to sensitive cloud infrastructure, including order fulfillment and inventory management systems. Home Depot has relied on GitHub for much of its engineering infrastructure since 2015. Zimmermann attempted to alert Home Depot about the issue multiple times through emails and even reached out to the company’s chief information security officer, Chris Lanzilotta, on LinkedIn, but received no response. Frustrated by the lack of communication, he contacted TechCrunch for assistance. After TechCrunch reached out to Home Depot on December 5, the company acknowledged receipt of the inquiry but did not provide further comments. The token has since been revoked, and it’s unclear whether anyone exploited the exposed access during its online availability. The absence of a formal reporting mechanism for security flaws at Home Depot, such as a vulnerability disclosure or bug bounty program, highlights a significant gap in their security protocols. Zimmermann noted that he has successfully reported similar security issues to other companies, which responded positively. Home Depot's failure to address this serious lapse raises concerns about their commitment to cybersecurity and responsiveness to vulnerabilities.