Indian pharmacy chain giant exposed customer data and internal systems

News
By published

Major pharmacy's platform was bugged for several months

An abstract image of a lock against a digital background, denoting cybersecurity.
(Image Credit: TheDigitalArtist / Pixabay) (Image credit: Pixabay)
  • DavaIndia Pharmacy flaw let unauthenticated users create “super admin” accounts with full privileges
  • Exposed sensitive customer data tied to orders, including health conditions, medications, and personal details
  • Bug responsibly disclosed in 2024, fixed by late 2025; no evidence of malicious exploitation, customer data likely secure

A major Indian pharmacy chain operated a flawed platform which exposed highly sensitive data of millions of users, experts have warned.

DavaIndia Pharmacy, the pharmacy arm of Zota Healthcare, currently runs more than 2,300 stores across the country - however, its platform was bugged in a way that allowed unauthenticated users to create “super admin” accounts.

These accounts came with high privileges, allowing the attackers to access extremely sensitive information: they could exfiltrate customer information (including health conditions, medications, and other private purchases), tamper with product listings (they could modify the entries and prices), create discounts, coupons, change which drugs required a doctor’s prescription, and more.

Fixing the bug

The bug was discovered by security researcher Eaton Zveare, who said the bug was introduced in late 2024 and has since exposed nearly 17,000 online orders and admin controls across more than 800 stores.

“Customer information was linked to their orders,” Zveare told TechCrunch. “This includes name, phone numbers, email IDs, mailing addresses, total amount paid, and the products purchased. Since this is a pharmacy, the products being purchased could be considered private and even embarrassing for some people.”

In August 2025, Zveare responsibly disclosed his findings to CERT-In, the country’s national cybersecurity emergency response agency. After a few weeks, in mid-September, he noticed the bug was fixed, and asked for confirmation. However, DavaIndia only gave its confirmation in late November 2025.

Zveare said there is no evidence that a malicious actor discovered this flaw before, and that customer data is most likely secure. Therefore, no action is required on the user side: passwords, payment data, and other secrets, remain secure.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.