- DavaIndia Pharmacy bug allowed unauthorized users to create “super admin” accounts with full privileges
- Exposed sensitive customer data linked to orders, including health conditions, medications and personal information
- Error responsible revealed in 2024, fixed in late 2025; no evidence of malicious exploitation, customer data likely safe
A major Indian pharmacy chain operated a flawed platform that exposed highly sensitive data from millions of users, experts have warned.
DavaIndia Pharmacy, the pharmacy arm of Zota Healthcare, currently operates more than 2,300 stores across the country – however, its platform was flawed in a way that allowed unauthorized users to create “superadmin” accounts.
These accounts came with high privileges, which allowed the attackers to access extremely sensitive information: they could delete customer information (including health conditions, medications and other private purchases), manipulate product listings (they could change items and prices), create discounts, coupons, change which drugs require a doctor’s prescription, and more.
Correct the error
The flaw was discovered by security researcher Eaton Zveare, who said the bug was introduced in late 2024 and has since exposed nearly 17,000 online orders and admin checks across more than 800 stores.
“Customer information was linked to their orders,” Zveare said TechCrunch. “This includes name, phone numbers, email IDs, postal addresses, the total amount paid and the products purchased. Since this is a pharmacy, the products purchased may be considered private and even embarrassing to some people.”
In August 2025, Zveare responsibly disclosed his findings to CERT-In, the country’s national cyber security preparedness agency. After a few weeks, in mid-September, he noticed that the error had been fixed and asked for confirmation. However, DavaIndia gave its confirmation only at the end of November 2025.
Zveare said there is no evidence that a malicious actor has discovered this flaw before, and that customer data is most likely safe. Therefore, no action is required from the user side: passwords, payment data and other secrets remain secure.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
