>When reached by TechCrunch on December 5, Home Depot spokesperson George Lane acknowledged receipt of our email but did not respond to follow-up emails asking for comment. The exposed token is no longer online, and the researcher said the token’s access was revoked soon after our outreach.

>

>We also asked Lane if Home Depot has the technical means, such as logs, to determine if anyone else used the token during the months it was left online to access any of Home Depot’s internal systems. We did not hear back.

As soon as they realized that the researcher had contacted "the media", they probably escalated internally to their legal team before anyone else, who told them to shut up.

The response, if one ever comes, will be a communication dense in lawyer-speak that admits no fault whatsoever.

This is why I go straight to legal for some things. By letter (the kind with a stamp).

As it could be service or real legal stuff, it tends to get read by someone literate and able to take action.

Had to do that with a bank that refused to talk to me (I hit some kind of identify verification quagmire), but they quickly got someone able to call me and close it on the spot.

I mean you can't fault them for that approach.

Obviously we would all like a full post mortem from the home dept side, but in today's litigious shareholder-value-driven world their response is the correct one.