I want to share an experience that tested my cyber awareness: my Google Ads Manager Account (MCC) fell into hackers’ hands at midnight on January 5. Fortunately, my team wasn’t alone in this ordeal. It’s estimated that hundreds, if not thousands, of similar accounts were hijacked, impacting vast networks of ads.
Reflecting on this unsettling event, I’ve gained valuable insights that I hope will help you safeguard your own MCCs from facing a similar fate.
How Hackers Gained Control of My Account
Despite having two-factor authentication (2FA) in place, the hackers breached my account using an employee’s email. This targeted hack saw them exploiting multiple email accounts before succeeding on their third attempt.
Phishing or password compromises likely granted them initial access. We later discovered that their chosen email had been compromised for months, cleverly bypassing our security by setting up their own 2FA tailored for deceit.
Their takeover was swift, removing all access to our MCC and altering allowed domains to Gmail. They brazenly invited over a dozen people into a newly created MCC under our company name, which thankfully, our clients ignored.
Within just hours, chaos ensued: users were removed, payment methods were altered, and unauthorized campaigns launched. Attempted fraudulent charges reached half a million on some accounts—remarkably without ads running to justify such expenses.
Regaining Control After the Hack
In a stroke of luck, we managed to reclaim our account within eight hours. Financial damage was surprisingly minimal, capped at $100, with unsuccessful credit card charges adding to our recovery timeline.
The journey to restoration relied on clear steps, beginning with contacting Google.
Step 1: Reaching Out to Google
Our first action was reaching out to our trusted Google reps. Their ongoing support proved invaluable, guiding us through the process and maintaining pressure on resolving our cases.
Even if you don’t have a dedicated rep, following the recommended steps still aids in timely resolution.
Step 2: Submitting Necessary Forms
Google directed us to their compromised account resources, prompting us to file multiple Account Takeover Forms for each affected account, including our MCC.
Though initially advised against using this form for MCCs, updated guidance now includes it as a vital step in swift recovery.
Step 3: Client Communication
I urged our clients with remaining access to disconnect from the compromised MCC and connect to secure emails. This immediate action helped us secure accounts and minimize potential damage.
Step 4: Managing Billing Chaos
Disconnecting was pivotal in resetting billing details. By editing the payment manager, we managed to undo the tangled web the hackers spun, simplifying future re-connections.
Step 5: Analyzing Change History
Upon regaining access, analyzing change history at MCC speed was essential. The detailed timestamps allowed us to construct a timeline and rectify ongoing issues.
Implementing Best Practices
A number of best practices helped us not only in recovery but also in preventing future breaches. Let’s dive into some critical strategies.
Ensure Client Access
I believe ethically, clients should always have access to their accounts. Additional admin presence provided a safety net, enabling us to regain control swiftly.
Google also supported us on blocking unauthorized changes, reinforcing the importance of multiple secure admin accounts.
Maintain MCC Integrity
Cleaning up by removing obsolete clients and unused MCCs is now a priority. This preventive measure could have lessened our vulnerability pre-hack.
Restricting Access Wisely
The breach was through a junior member needing minimal access. Restricting admin access to necessary personnel reduces potential entry points.
Despite their persistence, this measure could limit hacker penetration.
Financial Safeguards
Opting for credit or invoice payments meant banks swiftly flagged any irregular transactions, ensuring no charges landed.
Nurture Key Relationships
Building relations with Google reps and agency peers is vital. Their involvement during crisis management cannot be understated.
Proactive Protection Measures
Keeping your MCC secure demands proactive strategies. Here are some to fortify your digital fortress.
Initiate a Complete Reset
By periodically purging all account users and device sessions, we could have silently ousted the lurking hacker, curtailing their prepared attack.
Fortify with 2FA and Domains
Establish dedicated 2FA for each user, with authenticators ensuring stronger defenses compared to traditional device notifications, which attackers exploited.
Review and Limit Access
Minimizing access helps defensively, as fewer touchpoints result in decreased vulnerability.
Deploy Multi-party Approvals
Google’s recent multi-party approval feature requires a second admin confirmation for major changes, adding a security layer.
Regular Account Backups
Leveraging Google Ads Editor for backups ensures past configurations are recoverable, mitigating potential disruptions.
Secure Your Passwords
Encouraging unique, site-specific passwords shields MCCs from cascading breaches originating from other compromised accounts.
Invest in Monitoring
Employing cybersecurity tools and experts provides peace of mind. Their vigilance uncovers phishing attempts early, shoring up defenses.
A Client’s Caution: Stay informed about access requests for your Ads. Verify unexpected ones with your managing team to preempt unauthorized intrusions.
Stay Vigilant and Secure
While Google evolves its security toolkit, ensuring your practices are robust aids in thwarting breaches. Let this recounting bolster your prep, mitigating future risks.
Inspired by this post on Search Engine Land.
Leave a Reply