alt Hacker NewsHome Depot GitHub token exposed for a year, granted access to internal systems
Comments
I've accidentally pushed a personal PAT(ro) to both Github and gist because of poor hygiene in personal projects, both times Github dropped the PAT and notified me.
Last week I accidentally exposed my OpenAI, Anthropic, and Gemini keys. They somehow ended up in Claude Code logs(!) Within seconds I got an email from Anthropic and they have already disabled my keys. Neither OpenAI nor Google alerted me in anyway. I was able to login to OpenAI and delete all the keys quickly.
Took me a good 10-15 minutes to _just_ _find_ where Gemini/AI Studio/Vortex projects keys _might_ be! I had to "import project" before I could find where the key is. Google knew key was exposed but the key seemed to be still active with a "!" next to it!
With a lot of vibe coding happening, key hygiene becomes crucial on both issuer and user ends.
Man, a year to grab all the Home Depot 2x4s you want! Someone could have built a sphere with those.
Any suggestions for secrets management to distribute API keys/DB secrets/etc.?
For a self-hosted use case.
Currently, manually SSH into VPs and updating env files but not sure if its best practice.
What's the biggest damage someone could have done with that info?
it's easy to scan for publicly known services, really difficult to understand if a random string that says key somewhere is actually a random internal api key
"Open Source Home Depot" has a nice ring to it
Wow, someone could have used the data from internal systems to do some serious insider trading
If there has been one thing proven over the past 5 years is that the Home Depot IT department is useless and cant be trusted with anything regarding security.
I’m surprised that GitHub, OpenAI etc. doesn’t have automation to scan the usual surfaces for hashes of their access tokens.
It seems like a cheap and simple thing to offer your customers a little extra safety.
Anybody interested in starting a platform agnostic service to do this?
Given the absolute state of their website on mobile it's hardly surprising. It's faster to find an employee and ask them where an item is at instead of waiting for the search to finish, see that it the "current store" now points to a random location somewhere in a different state, pick the correct store and re-do the search
Wow, the non-response/communication at any time by Home Depot to all parties involved in trying to help them, is staggering.
[dead]
jesus christ
>When reached by TechCrunch on December 5, Home Depot spokesperson George Lane acknowledged receipt of our email but did not respond to follow-up emails asking for comment. The exposed token is no longer online, and the researcher said the token’s access was revoked soon after our outreach.
>
>We also asked Lane if Home Depot has the technical means, such as logs, to determine if anyone else used the token during the months it was left online to access any of Home Depot’s internal systems. We did not hear back.
As soon as they realized that the researcher had contacted "the media", they probably escalated internally to their legal team before anyone else, who told them to shut up.
The response, if one ever comes, will be a communication dense in lawyer-speak that admits no fault whatsoever.