KiranaPro Hacked: Servers Wiped and Customer Data Compromised

KiranaPro, a Bengaluru-based grocery delivery startup operating via the Indian government’s Open Network for Digital Commerce (ONDC), suffered a catastrophic cyberattack that completely wiped its AWS infrastructure and GitHub code repositories. The attack has rendered the platform non-functional, halting its operations entirely.

Severity Level: Moderate

How The Breach Happened?

1. The breach likely originated via access left behind by a former employee.
2. Attackers managed to bypass multi-factor authentication (MFA), potentially using:
   • Password-stealing malware.
   • Unrevoked credentials or insecure credential storage.
3. Suspicious activity was recorded in IAM logs and GitHub access logs around May 24–25.
4. Root access was lost, leaving the team with limited visibility via IAM remnants.

Data Exposed During The Breach

• Customer PII: Names, Physical addresses, Payment details.
• Logs of customer grocery orders across 50 cities were likely deleted.
• Core codebase from GitHub was wiped or exfiltrated.
• Possible compromise of GitHub user tokens and AWS keys.

The full extent of data exfiltration remains unknown but assumed significant due to the scale of the breach.

Root Cause

• Former employee access was not revoked from cloud and code repositories.
• No active monitoring system alerted the team until full lockout occurred.
• A 15-member team handled all tech and operations, leaving security gaps

Lessons Learned

• Root accounts are not operational tools, they’re nuclear access keys. This incident shows a failure to limit critical access paths.
• App-based OTP MFA is vulnerable to credential reset and SIM swap attacks. Adopt phishing-resistant MFA.
• All cloud activity should be mirrored to external log storage (e.g., CloudTrail → S3 + SIEM). Without root, KiranaPro lost forensic visibility. This emphasizes the need for redundant, immutable logs.

Recommendations:

1. Avoid persistent admin access. Use role-based, time-bound access via privileged access management (PAM) systems.
2. Automate offboarding to revoke credentials, GitHub access, tokens, and MFA for all departing employees.
3. Create separate admin roles for production, staging, and infrastructure; do not consolidate under a single identity.
4. Disable root account operations except for rare, documented emergencies. Use delegated IAM roles with minimal privilege.
5. Enforce phishing resistant MFA for GitHub, cloud dashboards, CI/CD pipelines, and all privileged endpoints.
6. Ensure all AWS activity logs are exported to separate, immutable storage to enable incident reconstruction after account compromise.
7. Use AWS Organizations’ Service Control Policies to prevent destructive actions like unrestricted EC2 deletion.
8. Implement CSPM tools to detect and alert on changes in permissions, network ACLs, or root account usage.
9. Simulate insider and cloud takeover scenarios to validate readiness, including recovery playbooks and legal protocols.

Source:

• https://techcrunch.com/2025/06/03/indian-grocery-startup-kiranapro-was-hacked-and-its-servers-deleted-ceo-confirms/
• https://the420.in/indian-grocery-startup-kiranapro-hacked-servers-deleted-deepak-ravindran-response/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.