A security researcher discovered that a Home Depot employee had inadvertently published a GitHub access token that had been active for a year, giving the holder unrestricted access to hundreds of the retailer’s private source‑code repositories and critical cloud infrastructure, including order‑fulfillment and inventory‑management systems.
The token, which was first posted to a public GitHub repository in December 2024, remained active until it was identified on December 12 2025. The token granted full read/write permissions to all of Home Depot’s private repositories and to the Google Cloud services that host the company’s e‑commerce platform and data‑analytics workloads.
Home Depot disabled the compromised token immediately after the researcher notified the company and launched an internal investigation. The company engaged a third‑party security firm to conduct a forensic review and to assess whether any code was altered or data was exfiltrated. No evidence of malicious code or data theft was found, and the incident was contained before any operational impact was observed.
The breach follows a history of security incidents at Home Depot, including a 2014 point‑of‑sale malware attack that exposed 56 million customer payment cards and a 2024 breach caused by a misconfigured SaaS vendor that exposed the personal data of 10 000 employees. The new incident highlights gaps in credential management and monitoring of internal access tokens.
While the immediate operational impact was limited, the exposure of source code and cloud infrastructure raises concerns about intellectual‑property theft, potential introduction of malicious code, and the integrity of Home Depot’s supply‑chain and customer‑facing systems. The incident may also trigger regulatory scrutiny and could erode customer trust, prompting the company to invest further in security tooling and employee training.
Home Depot has not issued a public statement beyond confirming the containment of the token and the completion of its investigation. The company’s security posture will likely be reassessed in light of the incident, and stakeholders will watch for any changes to its cybersecurity strategy and potential regulatory actions.
The content on BeyondSPX is for informational purposes only and should not be construed as financial or investment advice. We are not financial advisors. Consult with a qualified professional before making any investment decisions. Any actions you take based on information from this site are solely at your own risk.