Home Depot GitHub token exposed for a year, granted access to internal systems

Original Article ↗ Hacker News Discussion ↗

Home Depot’s Response and Legal Caution

  • Commenters are struck by Home Depot’s lack of communication with the researcher and press, interpreting the silence as legal/PR strategy once “the media” was involved.
  • Some argue this is rational in a litigious, shareholder-driven environment, even if it prevents a transparent postmortem.

Customer Service and Store Experience

  • Experiences with Home Depot staff vary widely: some report attentive help, others say employees are absent, disengaged, or lack basic tool knowledge.
  • Comparisons: Lowe’s is often seen as marginally better; Ace/local hardware stores are repeatedly praised for knowledgeable “old hands” and human service.
  • Several people now just order online for in-store pickup to avoid wandering large, understaffed stores.

Surveillance, Theft, and Local Economies

  • Discussion branches into Flock license-plate cameras in big-box parking lots.
  • One side emphasizes theft reduction; the other emphasizes privacy, anti-surveillance, and resentment of corporations “sucking towns dry.”
  • Some distinguish anti-surveillance from “pro-theft,” and complain about bad in-store UX (locking items, friction-heavy rebates).

Website, Apps, and Internal IT Quality

  • Many describe Home Depot’s website/app as slow, buggy, and poorly designed (random store selection, unusable mobile performance, broken filters/sorting).
  • In-store connectivity is poor (steel “Faraday cage”), pushing people onto unreliable WiFi; carrier-managed auto-join networks and VPN incompatibility add friction.
  • A minority defend the site’s inventory accuracy when it does load.
  • Anecdotes about Home Depot’s modernization push (K8s/React, conference recruiting) suggest internal confusion, legacy systems, and lack of coherent strategy, contrasted with praise for Walmart’s modernization.

Token Exposure, Secret Scanning, and Risk

  • Multiple commenters note GitHub’s and some AI providers’ secret-scanning that auto-revokes exposed keys, but say coverage is imperfect and usually limited to GitHub itself or main branches.
  • It’s unclear from the thread where the Home Depot token was exposed; several assume it wasn’t in a public GitHub repo or it would’ve been caught.
  • Potential damage discussed: cloning source code to mine for vulnerabilities and, if CI/deploy access existed, inserting malicious changes.

Broader Security Culture and Mitigations

  • Debate over whether security “really matters” given mild market consequences for big breaches; others counter that huge effort prevents far more incidents.
  • “Vibe coding” and poor key hygiene are seen as growing risks.
  • Suggestions for self-hosted secret management include platform-native secrets, password managers with APIs, and tools like SOPS + age.