Indian grocery delivery startup KiranaPro has suffered a cyberattack that led to the deletion of its servers and sensitive customer data.

Co-founder and CEO Deepak Ravindran confirmed the incident on June 3, 2025.

The compromised data included app code, customer names, addresses, and payment details. Although the app is still online, it currently cannot process orders.

The attack happened between May 24 and May 25. Hackers gained access to KiranaPro’s AWS and GitHub root accounts, possibly using credentials from a former employee.

The startup, launched in December 2024, serves 55,000 customers in 50 cities and is backed by Blume Ventures, Unpopular Ventures, and Turbostart.

.source-ref{font-size:0.85em;color:#666;display:block;margin-top:1em;}a.ask-tia-citation-link:hover{color:#11628d !important;background:#e9f6f5 !important;border-color:#11628d !important;text-decoration:none !important;}@media only screen and (min-width:768px){a.ask-tia-citation-link{font-size:11px !important;}}

🔗 Source: TechCrunch

🧠 Food for thought

1️⃣ Indian food tech sector has history of security vulnerabilities

KiranaPro’s breach follows a pattern of security incidents in India’s food tech industry dating back several years.

In 2017, Zomato suffered a major breach affecting 17 million user records when hackers compromised an employee’s development account, exposing email addresses and hashed passwords 1.

That same year, McDonald’s India faced a similar crisis when a poorly configured server leaked approximately 2.2 million users’ personal data, including names, email addresses, home addresses, and phone numbers 2.

FreshMenu concealed a 2016 data breach affecting 110,000 users (exposing names, emails, phone numbers, and order histories) until it was revealed by security researchers in 2018, demonstrating the transparency challenges these incidents create 3.

These recurring breaches highlight persistent security vulnerabilities in India’s rapidly growing digital food services ecosystem, where user growth often outpaces security infrastructure development.

2️⃣ Former employee access management is a critical security blind spot

KiranaPro’s breach via a former employee’s account exemplifies a common yet dangerous security oversight in startups.

Research shows that properly implemented multi-factor authentication (MFA) can prevent up to 99.9% of account compromise attacks, yet many organizations fail to consistently enforce it across all accounts 4.

Microsoft reports that over 1,000 password attacks occur every second, with 99.9% of compromised accounts lacking MFA protection, making access management a critical vulnerability 5.

The breach demonstrates how startups often neglect to terminate access privileges when employees leave, creating persistent security gaps that hackers can exploit long after employment ends.

This pattern of inadequate access management is particularly dangerous for early-stage companies like KiranaPro that handle sensitive customer data but may lack comprehensive offboarding security protocols.

3️⃣ Data breaches carry devastating financial consequences for startups

For a startup like KiranaPro with 55,000 customers, the financial impact of this breach could be existential.

Small businesses can expect to pay between $120,000 to $1.24 million to address a data breach in 2025, according to recent research – a potentially catastrophic sum for early-stage ventures 6.

Beyond immediate recovery costs, breaches typically trigger long-term customer attrition, with 69% of consumers reporting they avoid businesses that have experienced security incidents 7.

The average cost of a data breach rose to $4.24 million in 2024, the highest in 17 years, with small businesses being disproportionately targeted – 70% of cyber-attacks aim at smaller companies that often lack robust security infrastructure 7.

These figures illustrate why cybersecurity experts consider data breaches to be potential “company killers” for startups, where recovery costs can quickly exceed available capital and investor confidence is easily shattered.

……