Home Depot Github Token Exposed for a Year, Granted Access to Internal Systems
Key topics
A GitHub token exposed for a year granted access to Home Depot's internal systems, sparking a lively debate about the retail giant's customer service and corporate culture. Commenters weighed in with their personal experiences, with some swearing by Lowe's superior service, while others noted that the quality of service varies greatly depending on location. As one commenter astutely observed, the decline in customer service may be a cost-cutting measure driven by a focus on shareholder value. The discussion reveals a surprising consensus that both Home Depot and Lowe's have struggled with providing helpful and knowledgeable staff, with some attributing it to a "quantity over quality" approach.
Snapshot generated from the HN discussion
Discussion Activity
Very active discussionFirst comment
38m
Peak period
133
0-12h
Avg / period
22.9
Based on 160 loaded comments
Key moments
- 01Story posted
Dec 12, 2025 at 1:23 PM EST
21 days ago
Step 01 - 02First comment
Dec 12, 2025 at 2:01 PM EST
38m after posting
Step 02 - 03Peak activity
133 comments in 0-12h
Hottest window of the conversation
Step 03 - 04Latest activity
Dec 19, 2025 at 4:05 PM EST
14 days ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
I’d agree though, it’s department dependent. The electrical at my HD is an unorganized mess, but their plumbing section is world-class. Lowe’s is oddly flip-flopped. To Lowe’s great credit, their staff has those little tablets with inventory locations on them including all the top-shelf and end cap locations the website doesn’t show. Those usually save my trip, HD doesn’t seem to have an equivalent.
I've found it to be very datetime dependent. I walking the aisles on a late Sunday night recently and the only time I saw an employee was at the self checkout before I left.
That’s damn good customer service right there, if you ask me. The fake-chipper act makes me want to dive into a wood chipper…
The old lady that always seemed to be behind the register eventually started greeting me by name when I walked in. (I don't recall ever giving her my name; maybe she remembered seeing on a credit card or something.)
After the pleasantries (which didn't seem fake at all), one of the greybeards present would appoint themselves as my personal shopper. I'd go down my list of demands that was only vaguely sorted by department: "One M8x1.25x80mm all-thread stainless Philips screw, a 16x20 furnace filter, a box of #8x3/4 sheet metal screws, and uh... what do you have for can openers?"
And then we'd make a lap or two of the store to get these things, and I'd pay and GTFO.
It was great.
But for actual help and humanity (if you can afford the price and the more limited selection), Ace is consistently better near where I am.
[0] https://deflock.me/map#map=17/33.639428/-111.976540
Although, plenty of people are pro-theft from the corporations sucking our towns and local economies dry and paying so little that their employees have to rely on foodstamps.
https://dan.bulwinkle.net/blog/trader-joes-does-not-have-sur...
[0] deflock.me
[1] https://www.youtube.com/watch?v=uB0gr7Fh6lY
also, when I'm in my local store it seems like cell connection goes to shit for some reason and then I have to jump on their in store wifi in order to search their website
At one point I also had to disable wireguard because I think it was triggering some sort of anti-abuse thing they had. It wasn't even using an exit node, just bridging me to my home network so I could access self-hosted services. I get the desire for anti-abuse, but that felt pretty draconian and I don't expect the average person to consider they might have to disable a VPN to get it to work, especially nowadays when many average people do have VPNs running.
It's a giant steel and concrete box, that's probably the reason.
I've found that on a site like Amazon or Walmart that'll let you do a more freeform sort, the filter options becomes absolutely god awful.
Well done by McMaster-Carr. I assume they control their inventory a bit more than a marketplace like Home Depot, Walmart, or Amazon, so that's also an advantage.
Here's the XML Schema Definition for "Product" on Amazon [1]
This is joined on each of the linked category schemas included at the type, of which each has unique properties that ultimately drive the metadata on a particular listing for the SKU. Its wrought with inconsistency, duplicated fields, and oftentimes not up-to-date with required information.
Ultimately, this product catalog information gets provided to Amazon, Walmart, Target, and any other large 3rd party marketplace site as a feed file from a vendor to drive what product they can then list pricing and inventory against (through similar feeds).
You are right that the control McMaster-Carr has on their catalog is the strategic and technological advantage.
[1]: https://images-na.ssl-images-amazon.com/images/G/01/rainier/...
Which is a good indicator, but you can’t be sure of. Additionally you may imagine liking it but not enjoy it in life, even if true.
Is 8 before or after 4 in the alphabet?
If it were ordered by ordinal values, "/" is 47 and " " is 32, so "1 in" would come before "1/2 in".
It's not alphabetized by letter word. Because while "Eight" comes before "Four", "Specialty" would come before "Three".
No matter which way you attempt to order it, something is out of order.
Softtalker probably got it right. This is some default or id sort.
what the actual fuck
What grinds my gears is the speed of this search, regardless of the phone reception. Even on the desktop it feels like they have a bunch of interns running a sneakernet. Or the website is laden with pointless javascript that slows everything down before the search is actually performed.
I go to the same Home Depot every time. (Well I don't if I can help it, but that's beside the point). There is no reason they cannot store the preferred store in the localStorage or cookies or wherever else. Other stores have figured this out.
Not CostCo though! I open their page and immediately 'Can Costco.ca use your location?" I say yes and then it asks me what province I'm in. I tell it, and then it defaults me to a store 30 minutes' drive from here and not the one five minutes away. Every. Time.
I have to believe it’s intentional.
Pizza pockets? Okay, anything that mentions pizza, or pockets. So frozen pizzas, in-store-made pizzas, pizza flavored pringles, pants with pockets, dresses with pockets, frozen items that are similar to pizzas but aren't pizzas, frozen items which aren't similar to pizzas, granola bars I guess, basketballs, and so on.
It seems as though their search just takes the search terms, matches them against every item in their database in order of relevance, and then just shows you everything regardless of how relevant it is. 0.00121 out of 100? Well, it's still technically relevant! Let's show it just in case!
I understand that upgrading and migrating to new systems takes time but this process never seemed like it involved anyone on the ground.
Now that said, I don't want to minimize the difficulty in modernizing software at a corp like HD. It's wildly more difficult than most people can appreciate. I've consulted for companies trying to do it, and there are lots of challenges with legacy systems, migrations, and plenty of non-technical challenges as well.
Shout out to Wal-mart for genuinely kicking ass at this though. I'm quickly becoming an Onn fanboy. Genearlly speaking, great products at great prices, from their USB cables up to their smart speakers and more. You can really tell from the product design and implementation that they are letting the nerds geek out and have fun! That in turn enables me to do the same :-)
I literally watched someone Google "masonry bit" right in front of me.
I think a lot of people just expect too much from a big box store employee making $17/hr… You go to HD because you have an easy job and you’re as cheap as their MBAs. If you need help, go to a supply house or an Ace Hardware or something.
(It gets worse the further from the power tools section you get, I find. I had to explain the difference between a three-prong and four-prong 240V plug once at HD and promptly told my friend to stop asking the staff for "help" finding things.)
The best feature of Home Depot is order pickup. No need to explain to someone that some appliances use both 120V for control power and 240V power for the motor or heating element and therefore you need a 4-wire NEMA 14 series receptacle with a neutral conductor, you just buy one and pick it up from a locker. It’s made buying things from Home Depot tolerable for me.
Also I once asked an employee for help locating an item and they told me to pull up the app. I was like "you pull up the app", and we sat there for 5 minutes waiting for things to load until he decided he'll just help me locate the item lol
Now Home Depot for some reason just doesn't load on mobile (white screen) unless I disable content filtering in the browser. Classy.
I thought that was just me. It gets the first, maybe the second digit of the zip code right and that's about it.
https://www.reddit.com/r/Tools/comments/1opufvq/a_lightweigh...
It seems like a cheap and simple thing to offer your customers a little extra safety.
Anybody interested in starting a platform agnostic service to do this?
There was a recent post from someone who made the realization that most of these scanning services only investigate the main branch. Extra gold in them hills if you also consider development branches.
Thought the mechanism was a little unclear in your specific example - did Github revoke Discord tokens?
This seems to be a case of someone accidentally publishing their github token somewhere else. I'm not sure how github would cheaply and easily prevent that. Though there are third party tools that scan your web presence for secrets, including trying wordlists of common files or directories
1: https://docs.github.com/en/code-security/secret-scanning/int...
2: https://docs.github.com/en/code-security/secret-scanning/int...
GitHub has deprecated classic tokens, but the new tokens are not backwards compatible. The deprecated tokens have also continued to be available for some time. Real security professionals will tell you flatly "tokens are bad", and they're right. They're leakable attack vectors. The tokens are the problem and discontinuation is the solution. Scanning is simply symptom treating, and given what I know about Microsoft culture, I doubt that's going to change soon or quickly.
GitHub Advanced Security blocks the push, I believe.
By using plywood in conjunction with other off-the-shelf parts and materials, we can change this equation to deliver more value while dramatically reducing costs.
If, due to unforeseen circumstances the habitat occupant can no longer sustain life, they're automatically entombed inside a makeshift plywood coffin—no costly recovery operations required.
>
>We also asked Lane if Home Depot has the technical means, such as logs, to determine if anyone else used the token during the months it was left online to access any of Home Depot’s internal systems. We did not hear back.
As soon as they realized that the researcher had contacted "the media", they probably escalated internally to their legal team before anyone else, who told them to shut up.
The response, if one ever comes, will be a communication dense in lawyer-speak that admits no fault whatsoever.
Obviously we would all like a full post mortem from the home dept side, but in today's litigious shareholder-value-driven world their response is the correct one.
As it could be service or real legal stuff, it tends to get read by someone literate and able to take action.
Had to do that with a bank that refused to talk to me (I hit some kind of identify verification quagmire), but they quickly got someone able to call me and close it on the spot.
I don't believe exploiting GitHub repos for initial access is part of their playbook, but there have been plenty of examples in recent years of attackers gaining access to internal infrastructure via secrets exposed in GitHub (whether in code or Actions workflows). Just this year, attackers got into Salesloft's GitHub, pivoted to their AWS environment, and stole OAuth tokens that gave them access to hundreds of Salesforce customers.
- Depending on whether they use GH for deployments they can also introduce features to production that can help them
Took me a good 10-15 minutes to _just_ _find_ where Gemini/AI Studio/Vortex projects keys _might_ be! I had to "import project" before I could find where the key is. Google knew key was exposed by the key seemed to be still active with a "!" next to it!
With a lot of vibe coding happening, key hygiene becomes crucial on both issuer and user ends.
I shudder to think of the implications.
Consider all the security disasters we already get from brogramming, and multiply that, times 100.
The main issue seems to be, that our artifacts are now so insanely complex, that there’s too many holes, and modern hackers are quite different from the old skiddies.
In some ways, it’s possible that AI could be a huge boon for security, but I’m worried, because its training data is brogrammer crap.
Actual security on the other hand has decreased. I think one of the worst things to happen to the industry is "zero trust", meaning now any exposed token or lapse in security is exploitable by the whole world instead of having to go through a first layer of VPN (no matter how weak it is, it's better than not having it).
see Solar Winds, Microsoft etc.
I agree that we need to have "toothier" breach consequences.
The problem is that there's so much money sloshing around, that we have regulatory capture.
All while there's no budget for those that actually develop and operate the software (so you get insecure software), those that nevertheless do their best are slowed down by all the security theater, and customer service is outsourced to third-world boiler rooms so exploiting vulnerabilities don't even matter when a $100 bribe will get you in.
It's "the emperor has no clothes" all the way down, but because any root-cause analysis of a breach (including by regulators) will also be done by those without clothes, it "works", as far as the market and share price is concerned.
Claude (or other LLMs, for that matter) wouldn't know they leaked the keys because I did, by trying to make the construction logs public. I just wasn't expecting the logs to have keys in them from my env vars.
I feel like all this granular key management across everything, dev, life, I might be more insecure but god damn I don't feel like I know what is going on.
For a self-hosted use case.
Currently, manually SSH into VPs and updating env files but not sure if its best practice.
One option is to use separate "proxy" VMs that proxy traffic to the external services and applies the secret. The main application VM uses those proxy VMs to talk to the external services. This means a compromise of the application VM will not be able to exfiltrate any secrets - it will merely be able to make use of them (by talking to the proxy VMs) while the attacker still has access. Post-breach remediation becomes easier as not only do you not need to rotate the secret (as it wasn't stolen, merely misused) but your proxy VM can provide a tamper-proof audit log to tell which malicious activity has happened, if any.