In late May 2025, KiranaPro, an Indian grocery delivery startup, suffered a devastating cyberattack that erased its AWS servers, GitHub code, and sensitive customer data. Initially blamed on a former employee, co-founder Deepak Ravindran now admits an external hack cannot be ruled out, pending a forensic investigation. Here’s the latest on this crippling breach.
The Breach: What Happened?
Discovered on May 26, 2025, the attack deleted KiranaPro’s EC2 instances on AWS and its app code on GitHub, halting its ability to process 2,000 daily orders across 50 cities. The compromised data included 55,000 customers’ names, addresses, and payment details. Despite using Google Authenticator for multi-factor authentication (MFA), hackers accessed root accounts, with the MFA code mysteriously changed, per CTO Saurav Kumar.
Internal or External Hack?
Ravindran initially posted on X, claiming an internal breach by a former employee whose account wasn’t deactivated post-termination, citing GitHub emails linking the deletion to their username. However, he told TechCrunch, “We cannot rule out third-party misuse of the account,” admitting no checks were done on the employee’s devices for malware. The lack of proper offboarding protocols—due to no full-time HR—left vulnerabilities. A forensic investigation is planned with board and legal input.
Impact and Recovery
KiranaPro, launched in December 2024 on India’s ONDC, offered a voice-based app in Hindi, Tamil, Malayalam, and English. The breach stalled its 100-city expansion. The startup restored AWS and GitHub data from an employee’s backup, but the app remains non-functional. Ravindran claims no customer data was exfiltrated, though evidence is limited. The company, backed by Blume Ventures and PV Sindhu, faces unpaid staff and a $1.2M seed round delay.
Why It Matters
The breach highlights India’s startup cybersecurity gaps, with 95% of breaches in tech, per Wikipedia. X posts, like @CJingyansu, stress the need for robust access controls. KiranaPro’s case, under India’s DPDP Act, requires notifying affected users and Cert-In, with legal action against the ex-employee looming.https://www.linkedin.com/posts/startup-pedia_startuppedia-startup-kiranapro-activity-7337886016290136064-ytku/
