Google Ads MCC Security Breach: Immediate Steps
▼ Summary
– Hackers compromised the agency’s Google Ads Manager Account by using a compromised employee email, despite existing two-factor authentication and allowed domain settings.
– The attackers removed all other users, changed the domain to Gmail, granted access to many new users, and attempted large fraudulent credit card charges.
– Recovery involved immediately contacting Google representatives, filing Account Takeover Forms, and having clients disconnect from the compromised MCC to secure accounts.
– Key recovery practices included ensuring clients had admin access, using credit cards instead of bank accounts for billing, and maintaining clean MCCs with limited user permissions.
– Prevention strategies include enforcing unique passwords, ensuring only one 2FA method per user, using multi-party approval for changes, and regularly auditing account access.
On January 5, a significant security breach unfolded as hackers seized control of our Google Ads Manager Account. This was not an isolated incident. Based on industry communications, hundreds of agencies were compromised in this wave, impacting tens of thousands of client accounts downstream. Surviving this targeted account takeover provided critical lessons in crisis response and prevention that every business should understand.
Our breach occurred despite having two-factor authentication (2FA) and allowed domains properly configured. Intruders gained entry through a single employee’s email. The attack was deliberate; that night, they attempted access through two other company emails before succeeding with the third. We believe the initial point of compromise was either a phishing attack or a stolen password, but a more alarming discovery followed. The account used by the hackers had actually been under their control for months, during which they established their own 2FA method, operating undetected.
Upon entry, the hackers’ first move was to remove all legitimate users from the MCC. They changed the allowed domain to Gmail, granting access to numerous outside individuals. They then created a new MCC under our agency’s name and began inviting our clients. Fortunately, no client accepted these fraudulent invitations. In just a few hours, the attackers created widespread chaos: stripping user permissions from some accounts, altering payment methods in others, launching new campaigns in a few, and attempting massive credit card charges approaching half a million dollars on two accounts, even without running ads.
Our recovery process began immediately. We were fortunate to regain control within eight hours and restore full access in just over a week. The hackers spent only about $100, and the large credit card charges were blocked. Full recovery took two weeks, guided by a clear series of steps.
We contacted our dedicated Google representatives without delay. Having established relationships with Google reps proved invaluable, as they advocated on our behalf, maintained pressure on support cases, and connected us with essential resources. For those without direct representatives, the same recovery paths are available through standard support channels.
We were directed to Google’s official resource for compromised accounts and filed Account Takeover Forms for every affected account, including the MCC. Initially, the form discouraged use for MCCs, but that guidance has since been updated. Regaining MCC access is crucial, as it streamlines the recovery of all linked accounts rather than requiring individual tickets.
We instructed clients who retained access to their accounts to immediately disconnect from our compromised MCC and grant access to a secure, non-breached email address we controlled. This allowed us to secure the accounts and begin damage mitigation. We simultaneously triaged all accounts to identify which we could still access and which were left with no administrative users.
Disconnecting accounts from the MCC became a critical step. Once separated, we could easily reset billing profiles by editing the payment manager, reversing all unauthorized changes made by the hackers. After securing the billing, we reconnected the accounts to our restored MCC without issue.
Upon regaining entry, we immediately reviewed the change history at the MCC level. This provided a complete, time-stamped log of every action the hackers took, enabling us to construct an accurate timeline and address any lingering issues systematically.
Several best practices for account security were reinforced through this ordeal. Ensuring clients have their own administrative access is both an ethical imperative and a practical safeguard. It allowed us to work on accounts even while locked out of the MCC, and Google required approval from existing admins for critical changes, which halted some hacker actions.
Maintaining a clean MCC structure by removing old clients and unused tool integrations reduces attack surfaces. We have since adopted this as a standard practice. Furthermore, limiting team access to the minimum necessary level is essential. The compromised account belonged to a junior team member who did not require admin-level permissions.
Never link bank accounts directly to an MCC. Using credit cards or invoicing provides a vital layer of financial protection. In our case, the attempted massive credit card charges were flagged and rejected by the card companies, and invoiced clients were never charged for fraudulent activity.
Finally, investing in professional relationships with Google representatives and peer agencies provided indispensable support and guidance throughout the crisis.
For those looking to prevent such a breach, proactive measures are key. Start with a complete security reset: remove all users from the account, mandate password resets for everyone, and log out all active sessions. Our hackers had maintained persistent access for over two months by keeping sessions alive; a forced reset would have revoked their access.
Ensure only one 2FA method exists per user, preferring authenticator apps or physical security keys over SMS. The hackers had created their own 2FA on our employee’s account, which went entirely unnoticed. Regularly audit and limit user access to the absolute minimum required.
Enable Google’s multi-party approval feature, which requires a second admin to verify significant changes before they are executed. This relatively new tool is a powerful deterrent against account takeovers.
Regularly back up your account structures using Google Ads Editor to export data to a spreadsheet. This habit ensures you have a recent configuration snapshot to restore if needed.
Enforce the use of strong, unique passwords that are not reused elsewhere. We still do not know how the hackers initially bypassed the password stage to establish their own 2FA.
Consider investing in security monitoring software or a cybersecurity consultant. Since implementing this, we have been alarmed by the number of phishing attempts already intercepted in a short timeframe.
A crucial note for clients: if an agency manages your Google Ads, never accept unexpected MCC access requests. Always verify the legitimacy of any new invitation directly with your known account team before approving.
Google is aware of these systemic vulnerabilities and is working to enhance platform security. In the interim, applying these proactive security measures can significantly reduce risk. The effort invested in prevention is minimal compared to the considerable disruption of recovering from a hack.
(Source: Search Engine Land)
