KiranaPro Cyberattack: A Wake-Up Call for India’s Digital Commerce Ecosystem

KiranaPro Cyberattack: A Wake-Up Call for India’s Digital Commerce Ecosystem

The KiranaPro cyberattack exposed major security gaps in India’s digital commerce. Learn how source code escrow with CastlerCode could have prevented it and why every tech startup needs it now. Secure your IP before it’s too late.

The KiranaPro cyberattack exposed major security gaps in India’s digital commerce. Learn how source code escrow with CastlerCode could have prevented it and why every tech startup needs it now. Secure your IP before it’s too late.

Industry News

|

June 5, 2025

-

6 MINS READ

KiranaPro, scam alert, quick commerce scam, source code

India's rapid growth of the quick commerce industry has been nothing less than revolutionary. Companies like KiranaPro are making it possible to shop for essentials in ways no one ever thought possible by linking kirana shops with digital consumers within less than 20 minutes. But such speed and scale create new, intricate challenges—above all, in the field of cybersecurity.

In a recent and very troubling incident, KiranaPro's underlying infrastructure was crippled by a cyberattack, leaving sensitive customer information and the company's application code compromised. The attack, which, according to reports, was supposedly conducted through a hacked former employee's account, points to a sobering weakness in even the most technology-savvy startups.

What Happened at KiranaPro?

The breach was first discovered on May 26, when KiranaPro executives noticed suspicious activity as they logged in to their Amazon Web Services (AWS) account. They discovered that intruders had achieved root access to both their AWS and GitHub environments—essentially breaching the most secure components of their technology infrastructure.

As CEO Deepak Ravindran explained, the attackers ruined key data, including the source code of the company's applications and user data like names, addresses, and payment details. Even though the app is still technically online, it is not presently taking any orders, which implies a complete operational halt.

Attack Vector: Insider Access Gone Wrong

The breach was seemingly launched via the GitHub account credentials of a former employee. Even though KiranaPro utilized multi-factor authentication (MFA) using Google Authenticator, the hackers managed to breach this layer somehow, perhaps via device cloning or token tampering.

When inside, the attackers erased all EC2 instances in AWS—those are the virtual servers that run KiranaPro's backend system. The company also lost control of their root AWS account, limiting their access to run retrieval of logs or engage in extensive forensic examination.

KiranaPro's Chief Technology Officer Saurav Kumar confirmed that although the IAM (Identity and Access Management) interface is still available, the lack of root-level access means they cannot recover any lost instances or thoroughly investigate the attack.

The Fallout: Data, Trust, and Legal Troubles

The effects of this cyberattack are multi-faceted:

  • Customer Trust Erosion: With sensitive personal and payment information breached, KiranaPro now has the daunting task of rebuilding user trust.

  • Business Downtime: Despite the app going live, the fact that it cannot process orders shows how bad of an operating crisis this is.

  • Legal Complications: The company is said to be suing some former employees for refusing to surrender their GitHub credentials—adding an HR and compliance layer of complexity to a bad situation.

  • Reputation Risk: Since KiranaPro had previously announced its plans of onboarding 100 million customers and 1 million kirana stores, this incident would severely jeopardize its future fundraising and partnership activities.

Why This Should Concern Every Tech-Led Business

The KiranaPro hack isn’t an isolated incident; it’s a case study in what can go wrong when internal access is not tightly governed, and source code is left unprotected. For startups running on lean teams and tight timelines, security protocols often take a back seat to rapid scaling. But this event clearly illustrates that security debt is real—and can be brutally expensive.

Some of the egregious weaknesses laid bare in this breach are:

  • No source code escrow or version backups outside affected platforms

  • No zero-trust architecture for access control

  • No indication that compliance frameworks such as ISO 27001 or SOC 2 exist

  • Too much dependence on one cloud provider (AWS) with no redundancy

  • Inadequate offboarding procedures for ex-employees

What is Source Code Escrow—and Why It Matters

Source code escrow is a risk management practice in which a third-party custodian keeps the source code for important applications. If there is a cyberattack, vendor shutdown, or sabotage, the code can be recovered and business can be restored with minimal interruption.

In the case of KiranaPro, an escrow agreement on source code with a regulated service provider would have guaranteed that the original app code was securely backed up and available even if AWS and GitHub were breached. It's not merely about backups—it's about business continuity.

Welcome to CastlerCode: India's Source Code Escrow Solution

In light of such exposures, businesses require more than firewalls—they require regulatory-grade software continuity planning, and that is where CastlerCode comes into play.

CastlerCode is India's first source code escrow and technology escrow compliant platform, providing a full risk mitigation framework for software-dependent enterprises. Here's how CastlerCode would have assisted KiranaPro—and can assist you:

1. Immutable Source Code Backups

Your app code is safely stored in a bank-grade escrow account that is tamper-proof and under continuous surveillance with CastlerCode. Any service downtime or malicious wiping of your business-critical IP can be recovered instantly.

2. Automated Deposits through GitHub & GitLab

CastlerCode comes pre-integrated with popular platforms such as GitHub and GitLab, enabling the automatic deposit of new code updates into the escrow vault. Your escrow is thus always current—there is no more "stale backup" issue.

3. Regulatory Compliance

Whether you are handling RBI, SEBI, or IRDAI regulations, CastlerCode helps ensure that your business fulfills all source code escrow requirements specified in multiple regulatory guidelines.

For instance, SEBI-regulated organizations are now required to escrow third-party technology dependencies under vendor risk management regulations. CastlerCode is already facilitating financial institutions and fintechs in leading this compliance charge.

4. Multi-Party Access Controls

CastlerCode enables multi-signature release protocols, whereby code can be accessed only through mutual consent of the vendor, beneficiary, and Castler as the impartial third party. This provides zero trust architecture in practice, not theory.

5. Disaster Recovery-Ready

With duplicate cloud hosting across several geographies and scheduled disaster recovery exercises, CastlerCode is designed to resist even the most advanced cyberattacks—so your business never goes dark.

Conclusion: Don't Wait for a Breach to Secure Your Business

The KiranaPro breach is a warning that resounds through India's thriving digital economy. As more and more startups become cloud-first and API-native, the imperative for strong, autonomous technology risk management has never been stronger.

CastlerCode is more than a software solution—it's a business continuity promise. From secure escrow storage and automated GitHub deposits to complete regulatory compliance, CastlerCode keeps your source code, and your business, safe—even in the event of worst-case circumstances.

Future-proof your startup with CastlerCode today

Check out www.castlercode.com or schedule a free demo today and discover how we can support your business in staying strong in the face of today's cyber risks.

Written By

Chhalak Pathak

Marketing Manager

India's Largest Escrow-as-a-Service Platform

Escrow account services are complex but Castler's modular, flexible & full stack solution makes it simple for you.

Castler automates the Escrow account management and improves the user experience for managing payments and settlements. By leveraging technology to streamline these transactions, Castler makes the process more efficient, secure and convenient for its users

India's Leading Escrow Company.

Escrow Banking

Investment Escrow

Marketplace

Lending escrow

Fintech escrow

Mergers & acquisition

Regulator mandated escrow

Profit sharing

Franchisor-Franchisee

Dealer-Distributor

Dispute resolution

Litigation escrow

Liquidation

Copyright @2025 Castler (Ncome Tech Solutions Pvt. Ltd.) All rights reserved | Made in India 🇮🇳

India's Largest Escrow-as-a-Service Platform

Escrow account services are complex but Castler's modular, flexible & full stack solution makes it simple for you.

Castler automates the Escrow account management and improves the user experience for managing payments and settlements. By leveraging technology to streamline these transactions, Castler makes the process more efficient, secure and convenient for its users

India's Leading Escrow Company.

Escrow Banking

Investment Escrow

Marketplace

Lending escrow

Fintech escrow

Mergers & acquisition

Regulator mandated escrow

Profit sharing

Franchisor-Franchisee

Dealer-Distributor

Dispute resolution

Litigation escrow

Liquidation

Copyright @2024 Castler. All rights reserved. Made in India 🇮🇳

India's Largest Escrow-as-a-Service Platform

Escrow account services are complex but Castler's modular, flexible & full stack solution makes it simple for you.

Castler automates the Escrow account management and improves the user experience for managing payments and settlements. By leveraging technology to streamline these transactions, Castler makes the process more efficient, secure and convenient for its users

India's Leading Escrow Company.

Escrow Banking

Investment Escrow

Marketplace

Lending escrow

Fintech escrow

Mergers & acquisition

Regulator mandated escrow

Profit sharing

Franchisor-Franchisee

Dealer-Distributor

Dispute resolution

Litigation escrow

Liquidation

Copyright @2024 Castler. All rights reserved. Made in India 🇮🇳