Indian grocery startup KiranaPro hit by insider security incident affecting over 55,000 people
Take action: Make sure to ALWAYS offboard employees from all systems. Because whether it was a disgruntled person or hackers compromising credentials, the credentials of a departed employee were abused.
Learn More
KiranaPro, a Bengaluru-based grocery delivery startup, was hit by a catastrophic security incident that completely wiped out its operational infrastructure and compromised sensitive customer data belonging to over 55,000 users across 50 cities.
KiranaPro operates as a buyer application on India's Open Network for Digital Commerce (ONDC), offering a unique voice-based interface that allows customers to place grocery orders using voice commands in Hindi, Tamil, Malayalam, and English. The startup, launched in December 2024, had gained significant traction with 55,000 registered customers and was processing approximately 2,000 orders daily before the incident.
The incident occurred between May 24-25, 2024, resulted in the complete deletion of the company's Amazon Web Services (AWS) servers, GitHub repositories, and customer databases.
The attack has been attributed to a former employee whose access credentials were not properly deactivated following their departure from the company. Company executives are uncertain whether the incident was purely internal or involved external threat actors who exploited the former employee's retained system access.
CEO Deepak Ravindran initially characterized the incident as an internal breach but later conceded that the company could not rule out the possibility of external actors using the compromised credentials.
The company confirmed it did not remove the former employee's access to its data and GitHub account following their departure. This fundamental security oversight allowed unauthorized access to critical systems, including root accounts on both AWS and GitHub platforms. The company had implemented Google Authenticator for multi-factor authentication on its AWS account, but this protection was bypassed during the attack.
Company officials reported they could only access limited functions through Identity and Access Management (IAM) accounts, but were unable to retrieve any logs or forensic evidence due to the loss of root account access.
The company has reached out to GitHub's support team to help identify IP addresses and other forensic traces of the incident. The startup has also filed complaints with cybercrime authorities and is pursuing legal action against former employees who allegedly failed to return access credentials on their departure.
