KiranaPro Hack Wipes Data, Cripples Grocery Startup Ahead of Expansion Push
The Bengaluru-based voice-enabled delivery startup lost access to its app code, servers, and customer data after a breach traced to a former employee’s credentials.
Representational Photo
BENGALURU, India, June 4, 2025 — KiranaPro, a voice-enabled Indian grocery delivery startup operating on the country’s Open Network for Digital Commerce, has suffered a severe security breach that wiped its entire database, leaving its app online but nonfunctional.
The cyberattack compromised KiranaPro’s Amazon Web Services and GitHub accounts, erasing customer data, source code, and the company’s ability to process orders. Deepak Ravindran, co-founder and CEO, confirmed the breach to TechCrunch, describing it as a devastating loss just days before the startup was set to expand operations to 100 cities.
“We are not able to get any logs or anything because we don’t have the root account,” said Ravindran. “All our EC2 instances are gone.”
Launched in December 2024, KiranaPro served as a voice-based grocery ordering app supporting regional languages like Hindi, Tamil, Malayalam, and English. With a user base of 55,000 and over 2,000 daily orders across 50 cities, the platform offered customers a way to place local orders from nearby shops through spoken commands.
According to Ravindran and Chief Technology Officer Saurav Kumar, the breach likely occurred between May 24 and 25 via a former employee’s credentials. Screenshots shared with TechCrunch suggest unauthorized access through GitHub, raising concerns about weak offboarding protocols and gaps in multi-factor authentication.
The company used Google Authenticator for added login security, but Kumar reported that even this failed. “The multi-factor code had changed when we tried to log in. Everything was deleted,” he said, adding that they could now only access the system through limited IAM accounts.
Ravindran confirmed the company has contacted GitHub for forensic help and is filing cases against former employees who failed to return credential access. Investigations are ongoing.
The breach reflects growing industry concern over lapses in basic cyber hygiene, particularly around credential theft and employee offboarding. Experts point to recent incidents at LastPass, Change Healthcare, and Snowflake—where similar gaps led to damaging breaches—as cautionary examples.
KiranaPro, headquartered in Bengaluru with a team of 15, is backed by Blume Ventures, Unpopular Ventures, and Turbostart. Olympic medalist PV Sindhu and Boston Consulting Group MD Vikas Taneja are among its angel investors.
As of now, the startup’s platform remains non-operational, and recovery efforts are underway. The company has not confirmed a timeline for when services will resume.
We tried logging in last week. The EC2 services were gone. The root access is lost.
