At midnight on Jan. 5, hackers took over our Google Ads Manager Account (MCC). We weren’t alone. While it’s hard to get an exact count, hundreds, if not thousands, of agencies have been affected by the hacks, in turn affecting tens of thousands of accounts.
While I wouldn’t wish this experience on our worst enemy, having been through it, I have some insights that I hope can help you prevent the same experience from happening to your MCC account.
How we were hacked
Despite having two-factor authentication (2FA) and allowed domains enabled, the hackers were able to get into our account via an employee’s email address. It was clearly a targeted hack: the night of the hack, the hackers tried to get in via two other email accounts at our company before they succeeded with the third.
While phishing or compromised passwords may have originally gotten them into the system — we still don’t know which — we later learned that the account the hackers used had been compromised for months and that they had created their own 2FA that they had been using all along.
Once they gained access to our account, the hackers removed everyone else’s access to the MCC. They then changed the allowed domain to Gmail and granted access to over a dozen people. The hackers then created a new MCC in our company’s name and invited most of our clients. Luckily, none of them accepted.
In the few hours they were in the MCC, the hackers proceeded to create chaos. They removed all the users from some accounts and changed the payment method in others. They launched new campaigns on only a few accounts, yet somehow also attempted half-million-dollar credit card charges on two others (despite not running any ads in those accounts).
Your customers search everywhere. Make sure your brand shows up.
The SEO toolkit you know, plus the AI visibility data you need.
Start Free Trial
Get started with
What happened after the hack
We were very lucky. The hackers were locked out within eight hours, and we regained access in just over a week. They spent only about $100 across the MCC. Neither crazy credit card charge went through. We were fully recovered from the hack within two weeks. How did we do this? Let’s take a look at the steps we took.
Step 1: We contacted Google
When we were hacked, we immediately contacted our reps at Google. We’re incredibly lucky to have wonderful Google reps with whom we’ve built longstanding relationships, including one we’ve worked with for over three years.
These long-term relationships helped, and our reps went to bat for us. They continued to put pressure on the support cases until they were resolved and helped connect us to the resources we needed. Not everyone has their own reps, but you can also take these steps on your own.
Step 2: Fill out the forms
Our Google reps immediately directed us to their “What to do if your account is compromised” resource. From there, we filed Account Takeover Forms, alerting Google to the hack. We were directed to file a form for each of our accounts that had been hacked.
We first filed one for our MCC, even though the form, at the time, said not to use it for MCCs. It looks like that language has since been changed, which is great — don’t skip this step. Getting back into the MCC makes it easier to resolve all issues, rather than having to file tickets and coordinate access for each account.
Step 3: Contact clients
At the same time, we directed any clients who still had access to their accounts to disconnect them from our MCC, and to grant access to a non-compromised email account. That way we were able to secure the accounts, work on them, and mitigate any damages immediately. We were also able to triage our accounts to figure out which we were still able to access, and which had no admins left with access.
Step 4: Reset billing
Disconnecting from our MCC wound up being a very important step. That’s because when our accounts were disconnected from the MCC, we were easily able to reset the billing by editing the payment manager and undoing all of the payment chaos that the hackers had created. We were then able to reconnect them without issue.
Step 5: Check change history
When we eventually did get back into the accounts, we immediately checked the change history, which we were able to do at the MCC level for additional speed. All the changes the hackers made during that time were there with time stamps, allowing us to put together a timeline of the hack and remediate any remaining issues.
Get the newsletter search marketers rely on.
Best practices for recovering from a hack
During all this activity, a few things were especially critical to our success in recovering the account and mitigating damage. Here’s a quick rundown of best practices to keep in mind.
Make sure clients have access
This isn’t just a best practice, but something we believe should always be the case for ethical reasons. Having additional admins in the account let us regain access immediately, despite being locked out of the MCC, and remediate issues without losing time or momentum.
Google also pushed back on any access or billing changes that didn’t have approval from an existing admin, so having people still in the accounts was critical.
Keep your MCC clean
Remove old clients, and any other MCCs for tools you’re no longer using. We didn’t do this, and wish we had. We’ve made it a best practice for our accounts moving forward.
Limit team access
Make sure your team only has the minimum access they need. Standard access is great. Admin access should be reserved for as few people as possible. The compromised account belonged to a junior team member who didn’t need admin-level access.
This isn’t to say they wouldn’t have gotten in through a more senior team member’s account — as mentioned, they did try to get in through several before succeeding — but it would have mitigated risk.
Use credit cards or invoices
Never connect your bank accounts to your MCC. We’ve heard of companies that have lost hundreds of thousands of dollars with this same kind of hack. Because our clients were all either on invoice or credit cards, the hackers couldn’t quickly spend money in a way that hit their accounts.
As noted earlier, the credit card companies rejected the very suspicious half-million-dollar charges the hackers attempted to make, and notified the credit card holders. The clients we were invoicing were never charged, and everything was captured on the invoices before billing.
Invest in relationships
It’s important to invest in your relationships with your Google reps, and fellow agency owners. We remain incredibly grateful to all of the people who helped us, or even just commiserated with us along the way. This experience would’ve been even more painful if we’d had to go through it alone.
How to prevent being hacked
For those who have yet to be hacked, congratulations! Let’s try to keep it that way. Here are some things you can do to make it much less likely that this will ever happen to your accounts.
Start with a clean reset
Begin by kicking every single user out of your account, and have everybody on the accounts reset their passwords. Make sure you log everyone out of every session they were in on every device.
Our hackers were sitting around auto-logging in and keeping their sessions open for over two months prior to the night they took over the MCC. If we’d forced a reset and logged everyone off, we would’ve removed their access without even realizing it.
Enable 2FA and allowed domains
Make sure there’s only one 2FA per person. 2FAs that use authenticators or physical keys are better than pinging a device. The hackers had created their own 2FA to get into our employees’ accounts, and we never even had an idea that it was happening.
Audit and limit access
Make sure the minimum number of people have the minimum access they need to the MCC. This reduces your risk.
Enable multi-party approval
Google rolled out this new feature quite recently to help prevent account takeovers. Essentially, the feature requires that a second admin verifies any big changes before they happen. If you’d like to read up on this feature, here’s a great guide introducing multi-party approval.
Back up your accounts
You can copy and paste your accounts into your preferred spreadsheet app via Google Ads Editor. Make a habit of doing this periodically so that you’ll always have a copy of how things were in case of a hack. With the backups, you can easily revert back if you need to.
Use strong passwords
It’s important to use unique passwords that aren’t being used anywhere else. That way, if one site gets hacked, your MCC is still not at risk. We’re still not sure how the hackers passed the initial password stage to be able to create their own 2FA.
Invest in security monitoring
If you want to be extra careful, invest in security software and/or a cybersecurity expert to monitor your system. We have now done this, and it’s been amazing (and scary) to see how many phishing attempts have already been caught in the six weeks since we did it.
A note for clients: If you’re a client and another team is managing your Google Ads, do not accept any Google Ads MCC access requests that you aren’t expecting. Please make sure you always know who and what you’re giving access to. When in doubt, double-check with the team that is managing your account. A little caution can go a long way.
See the complete picture of your search visibility.
Track, optimize, and win in Google and AI search from one platform.
Start Free Trial
Get started with
Stay safe out there
The good news is that Google knows about these issues, and is actively finding ways to tighten their systems to prevent hacks. In the meantime, I hope this article has helped make our loss your gain. With an ounce of prevention, you’re likely to prevent a pound of pain.
Contributing authors are invited to create content for Search Engine Land and are chosen for their expertise and contribution to the search community. Our contributors work under the oversight of the editorial staff and contributions are checked for quality and relevance to our readers. Search Engine Land is owned by Semrush. Contributor was not asked to make any direct or indirect mentions of Semrush. The opinions they express are their own.
