24 comments

[ 1.5 ms ] story [ 42.5 ms ] thread
Wow, the non-response/communication at any time by Home Depot to all parties involved in trying to help them, is staggering.
Given the absolute state of their website on mobile it's hardly surprising. It's faster to find an employee and ask them where an item is at instead of waiting for the search to finish, see that it the "current store" now points to a random location somewhere in a different state, pick the correct store and re-do the search
Not as bad as Costco. Their app and website are still stuck in 90s.
"Open Source Home Depot" has a nice ring to it
I’m surprised that GitHub, OpenAI etc. doesn’t have automation to scan the usual surfaces for hashes of their access tokens.

It seems like a cheap and simple thing to offer your customers a little extra safety.

Anybody interested in starting a platform agnostic service to do this?

GitHub does! They tell you when you pushed something dangerous almost right away.

GitHub Advanced Security blocks the push, I believe.

The article doesn’t say where the Home Depot token was published. Almost certainly not on GitHub or it would have been invalidated. But AFAIK GitHub doesn’t crawl other sites looking for GitHub tokens. I suppose Microsoft could provide GitHub a feed of GitHub tokens found by their Bing crawlers.
Man, a year to grab all the Home Depot 2x4s you want! Someone could have built a sphere with those.
I don't know how well lumber holds up to the bottom of the ocean
>When reached by TechCrunch on December 5, Home Depot spokesperson George Lane acknowledged receipt of our email but did not respond to follow-up emails asking for comment. The exposed token is no longer online, and the researcher said the token’s access was revoked soon after our outreach.

>

>We also asked Lane if Home Depot has the technical means, such as logs, to determine if anyone else used the token during the months it was left online to access any of Home Depot’s internal systems. We did not hear back.

As soon as they realized that the researcher had contacted "the media", they probably escalated internally to their legal team before anyone else, who told them to shut up.

The response, if one ever comes, will be a communication dense in lawyer-speak that admits no fault whatsoever.

I mean you can't fault them for that approach.

Obviously we would all like a full post mortem from the home dept side, but in today's litigious shareholder-value-driven world their response is the correct one.

This is why I go straight to legal for some things. By letter (the kind with a stamp).

As it could be service or real legal stuff, it tends to get read by someone literate and able to take action.

Had to do that with a bank that refused to talk to me (I hit some kind of identify verification quagmire), but they quickly got someone able to call me and close it on the spot.

I've accidentally pushed a personal PAT(ro) to both Github and gist because of poor hygiene in personal projects, both times Github dropped the PAT and notified me.
Yeah I'm impressed they even managed to publish a personal token. My experience with GitHub's automated token recognition has also been positive (tho the tokens were never of any consequence)
Wow, someone could have used the data from internal systems to do some serious insider trading
it's easy to scan for publicly known services, really difficult to understand if a random string that says key somewhere is actually a random internal api key
What's the biggest damage someone could have done with that info?
Last week I accidentally exposed my OpenAI, Anthropic, and Gemini keys. They somehow ended up in Claude Code logs(!) Within seconds I got an email from Anthropic and they have already disabled my keys. Neither OpenAI nor Google alerted me in anyway. I was able to login to OpenAI and delete all the keys quickly.

Took me a good 10-15 minutes to _just_ _find_ where Gemini/AI Studio/Vortex projects keys _might_ be! I had to "import project" before I could find where the key is. Google knew key was exposed but the key seemed to be still active with a "!" next to it!

With a lot of vibe coding happening, key hygiene becomes crucial on both issuer and user ends.

If there has been one thing proven over the past 5 years is that the Home Depot IT department is useless and cant be trusted with anything regarding security.
Any suggestions for secrets management to distribute API keys/DB secrets/etc.?

For a self-hosted use case.

Currently, manually SSH into VPs and updating env files but not sure if its best practice.

Damn, their web site is so awful. If the code for it is all in github and the token got loose, maybe the right attacker could have cleaned up the slow javascript bloat, made the search system a lot better, fixed the login bug that makes logging in fail more than half the time depending on your browser, streamlined the ordering system, etc. We missed our chance!