Cyber Incident Victim: KiranaPro
Date:
May 2025
Location:
India
Summary
KiranaPro suffered a breach in which attackers gained root access to its AWS and GitHub accounts, deleted EC2 instances and wiped all stored data including app code and customer details such as names, addresses and payment information. The startup’s app remains reachable but cannot process orders, and investigators suspect the intrusion originated from a former employee’s credentials after observing altered multi‑factor authentication codes. The company has contacted GitHub for IP traces and is pursuing legal action against the former staff members while working to restore services.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
KiranaPro, an Indian grocery delivery startup launched in December 2024, operates as a buyer app on the government’s Open Network for Digital Commerce and reported 55,000 customers with 30,000 to 35,000 active buyers across 50 cities placing about 2,000 orders daily. The company offered a voice‑based interface supporting Hindi, Tamil, Malayalam and English and had planned to expand to 100 cities within the next 100 days before the incident. On May 26, 2025, executives became aware of a security breach while attempting to log into their Amazon Web Services account. The chief technology officer told TechCrunch that the hack occurred around May 24‑25, 2025.
Investigators found that hackers had gained root access to KiranaPro’s AWS and GitHub accounts, and the CEO shared screenshots of GitHub security logs and a sample activity log indicating the intrusion followed the use of a former employee’s credentials. The startup had enabled Google Authenticator for multi‑factor authentication on its AWS account, but the MFA code had changed when they tried to log in, and all Elastic Compute Cloud (EC2) instances were deleted, leaving only an IAM account that could show the missing instances but provided no logs. As a result, the company’s app code and servers containing customer names, mailing addresses and payment details were wiped, rendering the app unable to process orders even though it remained online.
KiranaPro contacted GitHub’s support team to obtain the attacker’s IP addresses and other traces of the incident, and the CEO said the company was filing legal cases against former employees who had not surrendered their GitHub credentials for log review. The article notes that the exact method of the breach remains unclear, though it cites recent credential‑theft attacks such as LastPass, Change Healthcare and Snowflake as examples of similar incidents. KiranaPro’s institutional backers include Blume Ventures, Unpopular Ventures and Turbostart, while angel investors comprise Olympic medalist PV Sindhu and BCG MD Vikas Taneja, and the startup employs a team of 15 people based in Bengaluru and Kerala.