Industry News
|
June 5, 2025
-
6 MINS READ

India's rapid growth of the quick commerce industry has been nothing less than revolutionary. Companies like KiranaPro are making it possible to shop for essentials in ways no one ever thought possible by linking kirana shops with digital consumers within less than 20 minutes. But such speed and scale create new, intricate challenges—above all, in the field of cybersecurity.
In a recent and very troubling incident, KiranaPro's underlying infrastructure was crippled by a cyberattack, leaving sensitive customer information and the company's application code compromised. The attack, which, according to reports, was supposedly conducted through a hacked former employee's account, points to a sobering weakness in even the most technology-savvy startups.
What Happened at KiranaPro?
The breach was first discovered on May 26, when KiranaPro executives noticed suspicious activity as they logged in to their Amazon Web Services (AWS) account. They discovered that intruders had achieved root access to both their AWS and GitHub environments—essentially breaching the most secure components of their technology infrastructure.
As CEO Deepak Ravindran explained, the attackers ruined key data, including the source code of the company's applications and user data like names, addresses, and payment details. Even though the app is still technically online, it is not presently taking any orders, which implies a complete operational halt.
Attack Vector: Insider Access Gone Wrong
The breach was seemingly launched via the GitHub account credentials of a former employee. Even though KiranaPro utilized multi-factor authentication (MFA) using Google Authenticator, the hackers managed to breach this layer somehow, perhaps via device cloning or token tampering.
When inside, the attackers erased all EC2 instances in AWS—those are the virtual servers that run KiranaPro's backend system. The company also lost control of their root AWS account, limiting their access to run retrieval of logs or engage in extensive forensic examination.
KiranaPro's Chief Technology Officer Saurav Kumar confirmed that although the IAM (Identity and Access Management) interface is still available, the lack of root-level access means they cannot recover any lost instances or thoroughly investigate the attack.
The Fallout: Data, Trust, and Legal Troubles
The effects of this cyberattack are multi-faceted:
Customer Trust Erosion: With sensitive personal and payment information breached, KiranaPro now has the daunting task of rebuilding user trust.
Business Downtime: Despite the app going live, the fact that it cannot process orders shows how bad of an operating crisis this is.
Legal Complications: The company is said to be suing some former employees for refusing to surrender their GitHub credentials—adding an HR and compliance layer of complexity to a bad situation.
Reputation Risk: Since KiranaPro had previously announced its plans of onboarding 100 million customers and 1 million kirana stores, this incident would severely jeopardize its future fundraising and partnership activities.
Why This Should Concern Every Tech-Led Business
The KiranaPro hack isn’t an isolated incident; it’s a case study in what can go wrong when internal access is not tightly governed, and source code is left unprotected. For startups running on lean teams and tight timelines, security protocols often take a back seat to rapid scaling. But this event clearly illustrates that security debt is real—and can be brutally expensive.
Some of the egregious weaknesses laid bare in this breach are:
No source code escrow or version backups outside affected platforms
No zero-trust architecture for access control
No indication that compliance frameworks such as ISO 27001 or SOC 2 exist
Too much dependence on one cloud provider (AWS) with no redundancy
Inadequate offboarding procedures for ex-employees
What is Source Code Escrow—and Why It Matters
Source code escrow is a risk management practice in which a third-party custodian keeps the source code for important applications. If there is a cyberattack, vendor shutdown, or sabotage, the code can be recovered and business can be restored with minimal interruption.
In the case of KiranaPro, an escrow agreement on source code with a regulated service provider would have guaranteed that the original app code was securely backed up and available even if AWS and GitHub were breached. It's not merely about backups—it's about business continuity.
Welcome to CastlerCode: India's Source Code Escrow Solution
In light of such exposures, businesses require more than firewalls—they require regulatory-grade software continuity planning, and that is where CastlerCode comes into play.
CastlerCode is India's first source code escrow and technology escrow compliant platform, providing a full risk mitigation framework for software-dependent enterprises. Here's how CastlerCode would have assisted KiranaPro—and can assist you:
1. Immutable Source Code Backups
Your app code is safely stored in a bank-grade escrow account that is tamper-proof and under continuous surveillance with CastlerCode. Any service downtime or malicious wiping of your business-critical IP can be recovered instantly.
2. Automated Deposits through GitHub & GitLab
CastlerCode comes pre-integrated with popular platforms such as GitHub and GitLab, enabling the automatic deposit of new code updates into the escrow vault. Your escrow is thus always current—there is no more "stale backup" issue.
3. Regulatory Compliance
Whether you are handling RBI, SEBI, or IRDAI regulations, CastlerCode helps ensure that your business fulfills all source code escrow requirements specified in multiple regulatory guidelines.
For instance, SEBI-regulated organizations are now required to escrow third-party technology dependencies under vendor risk management regulations. CastlerCode is already facilitating financial institutions and fintechs in leading this compliance charge.
4. Multi-Party Access Controls
CastlerCode enables multi-signature release protocols, whereby code can be accessed only through mutual consent of the vendor, beneficiary, and Castler as the impartial third party. This provides zero trust architecture in practice, not theory.
5. Disaster Recovery-Ready
With duplicate cloud hosting across several geographies and scheduled disaster recovery exercises, CastlerCode is designed to resist even the most advanced cyberattacks—so your business never goes dark.
Conclusion: Don't Wait for a Breach to Secure Your Business
The KiranaPro breach is a warning that resounds through India's thriving digital economy. As more and more startups become cloud-first and API-native, the imperative for strong, autonomous technology risk management has never been stronger.
CastlerCode is more than a software solution—it's a business continuity promise. From secure escrow storage and automated GitHub deposits to complete regulatory compliance, CastlerCode keeps your source code, and your business, safe—even in the event of worst-case circumstances.
Future-proof your startup with CastlerCode today
Check out www.castlercode.com or schedule a free demo today and discover how we can support your business in staying strong in the face of today's cyber risks.
Written By

Chhalak Pathak
Marketing Manager