Edit History

Clarification on the Security Incident

We experienced this exact situation on a webshop we maintain. We have performed a thorough analysis and documented the entire case.

Attack Vector and Execution
he attacker performed a single, targeted login attempt on the back office, resulting in:

1: A direct, successful hit on the admin URL (which is unique and obfuscated).
2: An immediate successful login via an Addons support account.

Once access was gained, the attacker installed a malicious module named "mloader". This module created two overrides in head.tpl and layout-both-columns.tpl, using the exact code described in the recent security mailing from Prestashop. Additionally, communication with the attacker's server was handled via an in.php file placed in the public_html directory.

Investigation into the Source
We investigated how these specific credentials could have been compromised. Our audit confirmed that the only place these credentials were ever shared was within the Addons Marketplace, specifically for support on a module developed by Prestashop itself.

Searching for a potential "Prestashop data breach" reveals reports claiming that over 21 million customer records were leaked from the Prestashop Marketplace:

https://www.brinztech.com/breach-alerts/brinztech-alert-post-claims-exposure-of-21-3m-prestashop-customer-records/ 

https://socradar.io/prestashop-data-panorabanques-new-fraud-services/ 

Communication with Prestashop
We officially opened a case with the Prestashop security team in November 2025, providing all our findings. At that time, they stated they were investigating the potential breach but provided no confirmation. Despite us providing additional information about what happend, we never received a final response or follow-up.

Conclusion
Since other webshops are now being affected and Prestashop continues to claim the origin of the vulnerability is unknown, I feel obliged to make these findings public. The evidence strongly suggests that a data breach occurred and that credentials shared through the official Marketplace were leaked.

Clarification on the Security Incident

e experienced this exact situation on a webshop we maintain. We have performed a thorough analysis and documented the entire case.

Attack Vector and Execution
he attacker performed a single, targeted login attempt on the back office, resulting in:

1: A direct, successful hit on the admin URL (which is unique and obfuscated).
2: An immediate successful login via an Addons support account.

Once access was gained, the attacker installed a malicious module named "mloader". This module created two overrides in head.tpl and layout-both-columns.tpl, using the exact code described in the recent security mailing from Prestashop. Additionally, communication with the attacker's server was handled via an in.php file placed in the public_html directory.

Investigation into the Source
We investigated how these specific credentials could have been compromised. Our audit confirmed that the only place these credentials were ever shared was within the Addons Marketplace, specifically for support on a module developed by Prestashop itself.

Searching for a potential "Prestashop data breach" reveals reports claiming that over 21 million customer records were leaked from the Prestashop Marketplace:

https://www.brinztech.com/breach-alerts/brinztech-alert-post-claims-exposure-of-21-3m-prestashop-customer-records/ 

https://socradar.io/prestashop-data-panorabanques-new-fraud-services/ 

Communication with Prestashop
We officially opened a case with the Prestashop security team in November 2025, providing all our findings. At that time, they stated they were investigating the potential breach but provided no confirmation. Despite us providing additional information about what happend, we never received a final response or follow-up.

Conclusion
Since other webshops are now being affected and Prestashop continues to claim the origin of the vulnerability is unknown, I feel obliged to make these findings public. The evidence strongly suggests that a data breach occurred and that credentials shared through the official Marketplace were leaked.

Just for some clarification. We had this exact same situation on a webshop we maintain. We followed the steps back and made a full, complete case.
What happend?

This "hacker" made a single attempt login in de backoffice, so:
1: Direct succesfull hit on de adminpage (and yes, it;s unique)
2: Direct succesfull login in de backoffice through a addons support account.

This person installed a module "mloader" which made 2 overrides. in the head.tpl and layout-both-columns.tpl with exact the codes as described in the mail from Prestashop.
He communicated though a in.php file in the public_html folder which was also placed there.

This is how this situation happends. And how? Thats what we wonderded too... So i started searching, the only place we communicated those credentials was in the addons marketplace for support on a module developed by Prestashop self.

So, i started searching on Google, just this: "Prestashop databreach"... and there we go, 21+ million customer records leaked from the Prestashop Marketplace..

https://www.brinztech.com/breach-alerts/brinztech-alert-post-claims-exposure-of-21-3m-prestashop-customer-records/
https://socradar.io/prestashop-data-panorabanques-new-fraud-services/

Offcourse we opened a case at the security team of Prestashop (november 2025) with the findings, they said they are going to investigate the breach (so, at that point no confirmation yet). We never got a final reaction on this case after providing additional info.
But now, because other webshops are involved and Prestashop says they don't know the origin of the vulnerabillity, i feel obliged to make this public. It is most likely that the databreach is 100% true and credentials where leaked.