TL;DR
- KiranaPro suffers major data deletion, including GitHub and AWS accounts
- Startup blames a former employee, but failed offboarding and security lapses raise questions
- External hack not ruled out, despite early claims of an internal breach
- Investigation ongoing, as company works to restore services and manage fallout
Indian grocery delivery startup KiranaPro is embroiled in a data breach crisis after losing critical infrastructure—its GitHub codebase and AWS cloud data—due to what it initially described as an internal breach. But co-founder and CEO Deepak Ravindran has since admitted that the company had failed to deactivate the credentials of the former employee in question, leaving the door open for external exploitation. The resulting uncertainty has fueled debate over security hygiene in early-stage startups and the accountability of founders during crises.
From Internal Blame to Uncertainty
The incident first came to light when KiranaPro discovered that access to its backend servers was blocked, and its entire GitHub repository, including source code, had been deleted. On June 6, CEO Deepak Ravindran posted on X (formerly Twitter) that the breach was purely internal and that “no external party penetrated” the company’s systems.
However, in an interview with TechCrunch, Ravindran admitted that the company never revoked the ex-employee’s credentials, and therefore cannot conclusively rule out an external hack. This key contradiction has sparked widespread scrutiny of the startup’s internal security protocols.
“If we go deeper, we have to do a real forensic investigation… We are going to talk to our board, the investors, and our legal advisers,” said Ravindran.
Company Bases Allegations on GitHub Email
Ravindran shared with TechCrunch a GitHub support email that identified the username associated with a former employee as the one that deleted the repository. That, he said, was the sole basis for blaming the individual.
But the company did not perform a forensic audit, nor could it confirm whether the GitHub access was used by a third party with malware or compromised credentials. In fact, multi-factor authentication (MFA) had not been confirmed to be active on all employee devices.
Despite lacking hard evidence, the CEO publicly shared a screenshot of the ex-employee’s LinkedIn profile, claiming they were responsible—a move that raises ethical and potential legal concerns.
Broken Offboarding Process Revealed
KiranaPro’s chief technology officer, Saurav Kumar, confirmed that the company did not disable access to the former employee’s accounts after termination. He cited the absence of a full-time HR team as the reason for the lapse.
“Employee offboarding was not being handled properly,” Kumar told TechCrunch.
The lack of basic security measures, such as revoking credentials or enforcing MFA, likely left the company exposed to both internal sabotage and external exploitation.
This failure is particularly concerning given the sensitive nature of KiranaPro’s data: customer orders, payment information, and localized preferences—especially for a company operating on India’s Open Network for Digital Commerce (ONDC).
KiranaPro’s Operations and Recovery Efforts
Launched in late 2024, KiranaPro serves over 55,000 customers in 50 Indian cities, offering voice-based grocery shopping in English, Hindi, Malayalam, and Tamil. The startup raised ₹100 million (~$1.2 million USD) in seed funding, but as of this writing, those funds have not been fully wired, according to Ravindran.
The company confirmed that it lost access to both GitHub and AWS, which stored its source code and customer data. The AWS account was later restored, reportedly through employee backups. GitHub access was also reestablished.
“We recovered the GitHub data from a backup maintained by one of our engineers,” Ravindran said.
He claimed that customer data on AWS was not accessed or exfiltrated by any third party, adding, “Because if that is the case, I will get its notification on email.”
Still, the lack of audit logs, external forensic analysis, or third-party validation renders such claims speculative at best.
KiranaPro Data Loss Timeline and Stakeholders
| Key Event | Detail & Source |
| Incident Discovery | Early June 2025 |
| Deleted Systems | GitHub source code, AWS cloud data |
| Initial Blame | Internal breach via ex-employee |
| Contradiction | Company failed to offboard employee or enable MFA |
| Confirmed Breach Type | Still undetermined—external hack not ruled out |
| Customer Base | 55,000+ across 50 cities in India |
| Languages Supported | English, Hindi, Malayalam, Tamil |
| Investors | Blume Ventures, Unpopular Ventures, Turbostart |
| Notable Angels | PV Sindhu, Vikas Taneja (Boston Consulting Group) |
| Current Staff | 15 employees, split between Bengaluru and Kerala |
| Security Protocols | MFA used on AWS, but enforcement inconsistently confirmed |
Seed Funding Amid Unpaid Salaries
KiranaPro’s timing couldn’t be worse: just weeks before the breach, the company secured a ₹100 million seed round from a mix of venture and angel investors. However, the funds were not fully transferred at the time of the incident.
Ravindran also confirmed that current employees have not been fully paid, an alarming sign amid an active security crisis. Legal experts suggest that unpaid salaries and public accusations without proof could expose the startup to litigation or regulatory scrutiny.
Legal Action Pending
Despite stating that the company has “enough evidence to file a police complaint,” KiranaPro has not yet initiated formal proceedings. The internal investigation is ongoing, but no external cybersecurity firm has been hired so far.
Legal analysts note that pursuing a complaint without conducting digital forensics or confirming device access logs could undermine the company’s case. Publicly naming a former employee on social media without verified proof may also trigger defamation claims.
Broader Implications for Indian Startups
KiranaPro’s data loss raises red flags for India’s fast-growing startup ecosystem, especially for companies operating on public platforms like ONDC. As digital commerce becomes infrastructure-level in India, security maturity will be non-negotiable.
Incidents like this spotlight the urgent need for:
- Formal HR and offboarding protocols
- Mandatory MFA and device management
- Immediate credential revocation post-termination
- Third-party audits and incident response readiness
Early-stage startups, especially in regulated sectors, must balance agility with security governance—or risk losing both investor trust and customer data.
Conclusion
KiranaPro’s evolving data breach saga illustrates how startups can face catastrophic consequences from seemingly simple missteps like improper offboarding and inconsistent MFA enforcement. While the company has accused a former employee, it has yet to produce conclusive evidence or rule out external compromise.
As legal and financial uncertainties mount, the incident serves as a cautionary tale for founders: credibility hinges not just on innovation, but on how well crises are managed—and whether systems are built to prevent them in the first place.
