Indian grocery delivery startup KiranaPro has been severely hacked, with all its critical data completely wiped by the attackers. The company’s founder and CEO, Deepak Ravindran, confirmed this devastating security incident directly to news outlet TechCrunch recently. Destroyed data unfortunately included KiranaPro’s application code and its servers which contained banks of sensitive customer information for many users. This compromised customer information includes their full names, current mailing addresses, and also some of their important payment details unfortunately. Although KiranaPro’s application is currently still online, it is unfortunately completely unable to process any new customer orders at this present time. The startup, which was launched in December 2024, has accumulated 55,000 customers.
KiranaPro primarily operated as a buyer app on the Indian government’s Open Network for Digital Commerce, serving numerous customers across 50 Indian cities. The company’s executives first became aware of this major security incident on May 26th while attempting to log into their AWS account. Hackers successfully gained unauthorized access to KiranaPro’s crucial root accounts on both Amazon Web Services and also popular GitHub. Ravindran shared screenshots which suggested the hacking occurred after someone gained system access via a former employee’s unsecured account credentials. The company’s chief technology officer, Saurav Kumar, stated that the actual hack most likely happened around the May 24-25 timeframe this year.
Saurav Kumar also told TechCrunch that the multi-factor authentication code had surprisingly changed when they recently tried to log into their AWS account.
All their vital Electric Compute Cloud (EC2) services, which let clients access virtual computers, were found to have been completely deleted. KiranaPro has since reached out to GitHub’s dedicated support team to help them identify the hacker’s IP addresses and other incident traces. Similarly, Ravindran said the startup is now actively filing cases against its former employees who allegedly did not submit their credentials. It currently remains unclear exactly how this damaging cyberattack happened, but credential theft is often a common cause in such breaches.
Companies are ultimately responsible for enforcing the security of their own systems.
KiranaPro, prior to this unfortunate incident, had very ambitious plans to significantly expand its operations to one hundred cities within the next 100 days. The promising startup counts several prominent institutional venture backers, including notable firms like Blume Ventures, Unpopular Ventures, and also Turbostart. Well-known angel investors in the company include Olympic medalist PV Sindhu and also BCG Managing Director Vikas Taneja, who supported its growth. KiranaPro currently has a relatively small team consisting of just fifteen employees who are primarily located in Bengaluru and also Kerala, India. This significant data breach clearly highlights the severe cybersecurity risks that even new and rapidly growing startup companies can unfortunately face.
Reference:
