Full Report
The company said the cyberattack destroyed its servers and customer data.
Analysis Summary
# Incident Report: KiranaPro Data Deletion and Server Wipe
## Executive Summary
Indian grocery startup KiranaPro suffered a major security incident where attackers gained access to their root AWS and GitHub accounts, leading to the complete deletion of all servers and proprietary data, including the mobile application code and sensitive customer information. The incident was discovered on May 26, 2025, and appears to have originated from credentials associated with a former employee's account, indicating a potential compromise of the MFA token or session.
## Incident Details
- Discovery Date: May 26, 2025
- Incident Date: Approximately May 24-25, 2025
- Affected Organization: KiranaPro
- Sector: E-commerce / Grocery Delivery (Leveraging ONDC)
- Geography: India
## Timeline of Events
### Initial Access
- **Date/Time:** Around May 24-25, 2025
- **Vector:** Compromised credentials, potentially linked to a former employee's account accessing root AWS and GitHub accounts.
- **Details:** Attackers successfully breached both the Amazon Web Services (AWS) root accounts and GitHub repository access. While MFA (Google Authenticator) was reportedly in use for AWS, the bypass mechanism is currently tied to the compromised former employee session/token.
### Lateral Movement
- Not explicitly detailed, but access to root AWS accounts implies high-level access necessary to execute the final destructive action.
### Data Exfiltration/Impact
- **Date/Time:** Post-access, preceding discovery.
- **Impact:** Complete deletion of all company data, including the company's application code and servers containing sensitive customer information.
### Detection & Response
- **Date/Time:** May 26, 2025
- **Detection:** Company executives became aware of the incident when logging into their AWS account.
- **Response actions taken:** Immediate confirmation of the security breach and engagement with media outlets (TechCrunch) to report the situation. The application remains online but cannot process orders.
## Attack Methodology
- **Initial Access:** Compromise of credentials (likely username/password) associated with a former employee's account, leading to access of AWS root and GitHub administrative accounts.
- **Persistence:** Not detailed, but the destructive nature suggests attackers maintained access long enough to execute mass deletion commands.
- **Privilege Escalation:** Gaining access to **root accounts** on AWS provided maximum privileges needed to delete infrastructure.
- **Defense Evasion:** Exploitation of a possibly compromised or sessionated Multi-Factor Authentication (MFA) token from Google Authenticator is suggested, or bypassing it entirely through root access methods.
- **Credential Access:** Implied compromise of stored credentials or active session tokens related to the former employee.
- **Discovery:** Direct access to configuration or source code repositories (GitHub) to map the environment.
- **Lateral Movement:** Movement from the initial compromised account to the highest privilege levels (AWS root).
- **Collection:** Gathering of sensitive customer data (names, mailing addresses, payment details) prior to deletion.
- **Exfiltration:** Not explicitly stated if data was exfiltrated, but the intent of accessing sensitive customer data suggests this was a goal alongside destruction.
- **Impact:** Complete data destruction (Wiper attack executed against infrastructure).
## Impact Assessment
- **Financial:** Unknown, but expected to be significant due to total loss of core proprietary code and customer database, halting business operations.
- **Data Breach:** **Confirmed breach** of customer data including names, mailing addresses, and payment details for 55,000 customers.
- **Operational:** The app is online but cannot process orders, halting all business activity for the grocery delivery service.
- **Reputational:** Significant negative impact, confirmed via public reporting by TechCrunch, affecting trust among its 30,000-35,000 active users.
## Indicators of Compromise
* **Network indicators:** Accessing AWS root accounts and GitHub accounts via suspicious sessions/IPs (Specifics not provided).
* **File indicators:** Deletion marks across AWS infrastructure.
* **Behavioral indicators:** Execution of mass deletion commands across cloud environment and source control repositories.
## Response Actions
- **Containment measures:** Executives identified the breach upon logging into AWS accounts. Full scope of damage confirmed: server and data wipe.
- **Eradication steps:** Not detailed, but required re-provisioning and restoration from backups (if available, which is unconfirmed following root deletion).
- **Recovery actions:** The company is currently offline for order processing and working to restore services.
## Lessons Learned
- **Former Employee Access:** Credentials or active sessions belonging to former employees pose a critical, persistent risk if access is not immediately revoked.
- **MFA Limitations:** Relying solely on standard time-based one-time passwords (like Google Authenticator) can be insufficient for protecting root accounts if the session or token itself is compromised during an active threat.
- **Data Sensitivity:** The complete loss of application code and customer databases highlights a catastrophic failure in redundancy and infrastructure security posture.
## Recommendations
- Immediately revoke and reissue all access keys, tokens, and credentials associated with the compromised former employee, including any associated API keys stored centrally.
- Implement strict hardware-based MFA (e.g., YubiKeys) for all root/administrative cloud accounts (AWS root).
- Develop and enforce a zero-trust policy for system access, especially when dealing with former employee accounts or contractors.
- Implement immutable backups and robust data segregation to ensure that administrative access to cloud infrastructure cannot unilaterally delete all primary and backup data.
- Review post-employment offboarding procedures to ensure synchronous revocation of all system access simultaneously.