KiranaPro Cyberattack Exposes Sensitive Data, Including User Information and Backup Files
India's quick-commerce sector has just witnessed a massive cyberattack that compromised KiranaPro, one of its leading players. The incident exposed sensitive user information and backup files stored in the company's private GitHub repository, which was connected to Amazon Web Services (AWS).
"We were the victims of a devastating and deeply targeted cyberattack," said Deepak Ravindran, the founder of KiranaPro. "The data loss includes core application data, essential for running our application, along with sensitive user information." Despite this breach, KiranaPro's website remains active, but a banner at the top reads: "Temporary downtime due to a security update."
The Implications of the Cyberattack
KiranaPro was founded in 2024 as a platform that allows users to buy groceries from nearby small stores. The cyberattack comes at a time when the startup was preparing to expand its business to 100 more cities.
"The data loss was extensive," said Saurav Kumar, KiranaPro's CTO. "EC2 servers refer to Amazon's Elastic Compute Cloud – a rented virtual computer that runs our applications." The hacking is believed to have occurred around May 24-25, but the company only discovered it on May 26.
The quick-commerce company initially used a multi-factor authentication code generated by Google Authenticator. However, this code was changed and then used to log into AWS, resulting in a breach of its EC2 data. The attackers exploited this access to infiltrate the company's virtual servers, explained CTO Kumar.
The Role of GitHub
GitHub's support team has been slow to share log data and IP timestamps, according to founder Deepak Ravindran. "GitHub cooperation is key to identifying the actor behind this," he added in a Reddit post. Ravindran also made posts on X and Reddit seeking help from the online community, especially former GitHub employees, to expedite traceability and gain access to security logs.
The Legal Implications
This incident highlights the importance of companies' responsibility for maintaining secure systems.
"It was deliberate. And it was personal. Our servers were breached, critical infrastructure was deleted, and sensitive customer data was compromised," read Ravindran's post on X. KiranaPro is not the first company to face cyberattacks and data breaches. Adidas suffered a similar incident last month, exposing sensitive user information.
Similarly, Marks & Spencer was hacked, and in November 2020, hackers accessed the personal information of more than 20 million BigBasket customers. These incidents demonstrate the ongoing threat posed by cyberattacks and data breaches.
The Unanswered Questions
We remain unsure of where this stolen data goes – and how it will be used or misused. For example, an anonymous hacker was found selling data of 31 million users through a simple chatbot on Telegram.
The leaked data from Star Health included not just names and addresses but also tax details, copies of ID cards, medical diagnoses, and test results. Because notorious hackers are rarely arrested or prosecuted, questions around the legal liability of private companies for maintaining vulnerable security systems are more important than ever.
The Law and Its Implications
Under Section 43A and Section 72A of the Information Technology Act, 2000, companies may be held liable for failing to protect user data and for the unlawful disclosure of personal information. This highlights the need for greater awareness and action on cyber security among Indian businesses.
Stay Informed
Sign up for our Daily Newsletter to receive regular updates on this story and more breaking news from the world of technology and business.
MediaNama Events
Join us at our upcoming events to stay updated about the latest trends in technology, entrepreneurship, and innovation. Have something to share with us? Leave an anonymous tip or sponsor a MediaNama event today!