Indian grocery delivery startup Kiranapro has been hacked and all data has been wiped out, the company's founder confirmed to TechCrunch.
The corrupted data included the company's app code and a server that contained a bank of sensitive customer information, including its name, mailing address and payment details.
The company's app is online but cannot process orders, TechCrunch discovered.
Released in December 2024, Kiranapro operates as a buyer's app on the Indian government's open network of digital commerce, allowing customers to purchase groceries from local stores and nearby supermarkets.
Kiranapro has 55,000 customers, 30,000 to 35,000 active buyers in 50 cities, and according to the company, it collects orders of 2,000 people every day. Unlike typical grocery delivery apps, Kiranapro offers a voice-based interface that allows users to place orders from local stores using voice commands in languages such as Hindi, Tamil, Malayalam, and English.
The startup had planned to expand to 100 cities 100 days before the incident occurred, Rabindran said.
On May 26, Kiranapro executives noticed the incident while logging into their Amazon Web Services account. The hackers had access to the root accounts of Kiranapro on AWS and GitHub, Ravindran told TechCrunch.
Ravindran shared a screenshot from the Github security log and a file containing sample activity logs around the time of the incident.
Sauraf Kumar, Chief Technology Officer of Kiranapro, told TechCrunch that the hack happened around May 24-25.
The startup said it used Google Authenticator for multifactor authentication for AWS accounts. Kumar told TechCrunch that when he tried to log in to his AWS account last week, the multifactor code was changed, removing all electric computing cloud (EC2) services that allow clients to access virtual computers and run applications.
“We can log in to IAM [Identity and Access Management] You can see that the account, the EC2 instances don't exist anymore, but since we don't have a root account, we can't get logs, etc,” he said.
Kiranapro contacted Github's support team to identify the hacker's IP address and other traces of the incident, Ravindran said.
Similarly, Ravindran told TechCrunch that the startup is filing cases against former employees.
It is unknown how the attack took place. Some of the biggest cyber attacks in recent years, including LastPass, Change Healthcare, and Snowflake, have been caused by qualification theft, including password still malware installed on employee laptops, and missing or unenhanced multifactor authentication.
Companies ultimately took responsibility for enforcing their own systems security, including whether employees must use multifactor authentication and whether they must terminate the accounts of former employees who are not working for the company.
Kiranapro counts Blume Ventures, unpopular ventures and turbostarts, Olympic medalists PV Sindhu and BCG MD Vikas Taneja as angel investors. The company has a team of 15 employees in Bengaluru and Kerala.