A security breach by one of India’s largest pharmacy chains allowed outsiders to gain full administrative control over its platform, exposing customer order data and sensitive drug control features, TechCrunch has learned exclusively.
The issue affected DavaIndia Pharmacy, the pharmacy arm of Zota Healthcare, which operates a large network of retail outlets across India. Security researcher Eaton Zveare told TechCrunch that he discovered the flaw after identifying insecure “super admin” APIs on DavaIndia’s website and privately sharing details with Indian cybersecurity authorities.
The bug has now been fixed and Zveare revealed his findings.
The exposure comes as Zota Healthcare is rapidly scaling DavaIndia Pharmacy’s retail business. The Gujarat-headquartered company operates more than 2,300 DavaIndia stores across India, including 276 new outlets announced in January, and plans to add another 1,200 to 1,500 over the next two years.
Zveare told TechCrunch that the flaw stemmed from insecure admin interfaces, which allowed unauthorized users to create “superadmin” accounts with high privileges.
With that level of access, an attacker could view thousands of online orders containing customer information, change product lists and prices, create discount coupons and change settings for whether certain drugs required a prescription, the researcher said.
Based on the system’s timestamps, Zveare said the vulnerable administrative interfaces appeared to have been live since late 2024. The access exposed nearly 17,000 online orders and administrative controls spanning 883 stores, he said, allowing for changes in product prices, prescription requirements and promotional discounts. Zveare said the access allowed for edits to website content that could have been used for destruction or disruption.
Pharmacy order data can be particularly sensitive as it can reveal information about a person’s health conditions, medications or other private purchases. Exposure of such data, even without evidence of misuse, carries increased privacy and patient safety risks compared to other consumer information.
“Customer information was attached to their orders,” Zveare said. “This includes name, phone numbers, email IDs, postal addresses, the total amount paid and the products purchased. Since this is a pharmacy, the products purchased may be considered private and even embarrassing to some people.”
Zveare said he reported the problem to CERT-In, India’s national cyber preparedness agency, in August 2025. The vulnerability was patched within weeks, though confirmation from the company took longer and was given to cyber authorities in late November, he said.
Sujit Paul, CEO of Zota Healthcare, did not respond to emails sent by TechCrunch last month. The researcher said there was no indication that the bug had been exploited before it was fixed.