KiranaPro Hacked: Indian Grocery Startup Loses All Data
Indian grocery delivery startup KiranaPro has confirmed a devastating security breach resulting in the complete loss of its data, including customer information and app code. CEO Deepak Ravindran revealed the attack to TechCrunch, stating that hackers gained access to the company's AWS and GitHub accounts.
Launched in December 2024, KiranaPro operates on the Indian government's Open Network for Digital Commerce (ONDC). The platform allows customers to order groceries from local shops and supermarkets using a voice-based interface in multiple languages, including Hindi, Tamil, Malayalam, and English. The startup boasted 55,000 registered customers and 30,000-35,000 daily active users across 50 cities, processing 2,000 orders per day.
The attack, believed to have occurred around May 24-25, wiped KiranaPro's servers, including sensitive customer data such as names, addresses, and payment details. While the app remains online, it is currently unable to process orders.
Suspected Insider Threat
Initial investigations suggest the breach may have originated from a former employee's compromised account. KiranaPro used Google Authenticator for multi-factor authentication on its AWS account. However, the multi-factor code was reportedly changed during the attack, preventing access. The company is now working with GitHub support and pursuing legal action against former employees to uncover the source of the breach.
Impact and Future
This incident underscores the critical importance of robust security measures for online businesses, especially those handling sensitive customer data. The attack has significantly impacted KiranaPro's operations and expansion plans, which included reaching 100 cities within the next 100 days. The long-term consequences of this data breach remain to be seen.
This incident echoes other major data breaches caused by credential theft, highlighting the ongoing need for strong security practices, including multi-factor authentication and prompt termination of former employee accounts. Companies like LastPass, Change Healthcare, and Snowflake have also experienced similar attacks, underscoring the vulnerability of online systems.
KiranaPro is backed by Blume Ventures, Unpopular Ventures, and Turbostart, along with angel investors such as Olympic medalist PV Sindhu and BCG MD Vikas Taneja. The company has a team of 15 employees based in Bengaluru and Kerala.
