Surge in BackOffice Account Breaches


We have recently noticed a significant increase in PrestaShop store hacking, exploiting compromised BackOffice accounts due to stolen credentials. In late 2022, Profileo had already alerted its customers to this issue and recommended a change in BackOffice passwords. Unfortunately, we are still seeing waves of intrusions using the same methodology.

How hackers obtain credentials

Hackers use various techniques to obtain credentials, including:

  • Phishing: Sending fake emails or messages urging recipients to provide their credentials on fraudulent sites resembling legitimate sites.
  • Malware: Malicious software capable of stealing stored credentials on the victim’s computer or recording keystrokes to retrieve passwords.

These credentials are sometimes sold on the darknet, allowing other cybercriminals to exploit them. A single compromised employee can jeopardize the entire store.

Consequences of BackOffice access

Access to the BackOffice allows hackers to have full control of the store and deeply infect the site. They can divert transactions, steal sensitive data, and spread other malware.

Security measures to adopt

Enable two-factor authentication (2FA) for BackOffice

Setting up two-factor authentication (2FA) is the most effective protection for securing access to your BackOffice. This method adds an additional step during login by requiring a unique code generated by an authentication app. Several PrestaShop modules allow activating this feature.

For reference, here are some examples of modules having this functionality:


Change the BackOffice URL

To enhance your store’s security, it is recommended to change the BackOffice URL. Choose a unique and hard-to-guess URL, combining letters and numbers. To modify the URL, access your site’s FTP and rename the existing BackOffice folder.

Disconnect existing employee sessions

After enabling 2FA and changing the BackOffice URL, it is essential to disconnect existing employee sessions to make these changes effective. Indeed, the session (cookie) remains active even if you change the BO URL and activate 2FA. To force employee disconnection, modify the psAdmin cookie name by creating an override of the Cookie class.

Here is an example of a Cookie override:


class Cookie extends CookieCore
    public function __construct($name, $path = '', $expire = null, $shared_urls = null, $standalone = false, $secure = false)
        if($name == 'psAdmin') {
            $name .= "1";

        parent::__construct($name, $path , $expire , $shared_urls, $standalone, $secure);

Also, remember to delete the class_index file for the override to take effect.

Good practices to adopt

In addition to 2FA, changing the BackOffice URL, and disconnecting employee sessions, we advise you to adopt the following best practices:

  • Use complex and unique passwords for each admin account
  • Change passwords regularly
  • Do not share your credentials with third parties

Feel free to contact our team if you wish us to perform these actions on your shop.