Issue #229: Our Google Ads MCC Was Hacked. Here’s Exactly What Agencies Need to Know

IPPC-The-Blink-logo
Hey there,
Our Google Ads MCC Was Hacked. Here’s Exactly What Happened.
That is not a sentence anyone wants to write.
Friday morning, our internal monitoring tool, PPCRush, alerted us to unexpected changes inside our Google Ads MCC.
We immediately saw unfamiliar Gmail accounts being added as users.
At 8:26 AM, Google alerted us that our MCC had been unlinked. It looked unusual. Within minutes, it became clear it was much more serious.
By 8:30 AM, our leadership and operations teams were investigating.
As we reviewed the account, users were actively losing access in real time. Permissions were changing. The structure of the account was being altered. Someone else was inside.
The First Few Hours
The next several hours moved quickly.
8:52 AM
Our first escalation was sent to our Google Ads representatives.
9:02 AM
Google’s Compromised Account form was submitted.
9:22 AM
We sent an email to our partner agencies instructing them to immediately disconnect from the affected MCC as a precaution.
At that point, our primary objective was simple:
Contain the incident.
Protect client accounts.
Limit the blast radius.
Fortunately, Google moved quickly.
2:02 PM
Google confirmed that most malicious activity had been removed.
2:06 PM
Our MCC connection was restored.
2:22 PM
We notified partner agencies that recovery efforts were underway.
But that wasn’t the end of the work.
It was the beginning.
What We Did Next
Once control was restored, we did not treat the incident as “closed.”
We reviewed login activity, employee machines, and access patterns. That is when we discovered the attack originated from Singapore and came through a compromised machine running “zombie” applications.
Over the Father’s Day Weekend, our team members in the United States, India, the Philippines, and South America worked in coordinated shifts to maintain continuous coverage and security checks of all 5,761 Google Ads accounts.
We also helped partner agencies reconnect back to our secured MCC.
By Monday and Tuesday, agencies were being reconnected, and the final agency was linked back on June 23rd.
This was not a small cleanup. It was a full account-by-account review of 5761 accounts in 48 hours.
And it gave us a very clear reminder of how important access controls, device security, and API review have become in Google Ads.
Why This Matters for Agencies
Most agencies think about Google Ads security too narrowly.
They think:
“Do we have two-factor authentication turned on?”
That is important.
But it is not enough anymore.
For agencies that manage client accounts, Google Ads access is not just software access.
It is financial access.
It affects budgets, billing, campaigns, reporting, client communication, and trust.
That is why every agency should periodically review who has access, what tools are connected, and whether each permission is still needed.
This is not about panic.
It is about process.
Google’s newer two-admin approval system is a step in the right direction. It can help prevent one user from making certain sensitive access changes alone.
But there are still two important caveats.
Single-admin MCC accounts do not get the same practical protection because there may not be another admin available to approve or reject sensitive changes.
And API access remains a special risk because once an app or tool is approved, it may be able to work quietly behind the scenes.
That was one of the biggest lessons from our incident.
In our case, attackers used a compromised login to approve an app/API connection.
That means agencies should not only review users.
They should also review apps, integrations, scripts, reporting tools, and API connections.
What Agencies Should Review as Good Practice
This is the short version.
Check:
  • Every user with access to your Google Ads MCC
  • Every admin user
  • Every old employee, contractor, vendor, or client login
  • Every personal Gmail account with access
  • Every third-party app connected to every User’s Google Account.
  • Every API connection
  • Every linked manager account
  • Every machine used by your PPC team
  • Every browser extension installed on those machines
  • Every suspicious login location
  • Every account with only one admin user
Also make sure every account has at least two trusted admin users.
Not twenty admins.
Not everyone as admin.
Just enough trusted admins so one compromised or locked-out account does not become a disaster.
The 5 Lessons We Want Every Agency to Take From This
1. Enable two-factor authentication everywhere.
This is still the baseline.
Every Google Ads user, every Workspace account, every reporting tool, and every critical login should have 2FA enabled.
But do not stop there.
2FA is required.
It is not a complete security plan.
2. Every Google Ads account should have at least two admin users.
Single-admin accounts are fragile.
If that one admin account is compromised, locked out, or removed, recovery becomes much harder.
Every account should have at least two trusted admins.
But access should still be limited.
Most team members do not need admin access.
3. Be extremely careful with API access.
This may be the biggest lesson.
API access can be more dangerous than normal user access because it works quietly and at scale.
A normal user logs in and clicks around.
An API connection can read data, change campaigns, adjust budgets, create ads, and make bulk changes depending on what has been approved.
Every agency should review which apps and tools have access to every user’s Google Account under Third-party Apps.
Ask:
Who approved this?
Do we still use it?
Can it make changes or only read data?
Is it connected at the MCC level?
Is it tied to a former employee?
Does it really need access?
If you would not give a vendor admin-level power manually, do not casually approve broad API access.
4. Keep computers clean and updated.
The breach came through a machine running zombie apps.
We had to wipe and reinstall the system. That is a reminder that Google Ads security is not only about Google Ads. Your team’s computers matter. Keep operating systems updated.
Remove unauthorized apps.
Review browser extensions.
Run malware scans.
Use endpoint protection.
And if a machine is compromised, do not try to “clean it up” casually.
Wipe it and rebuild it.
5. Double-check URLs and never trust lookalike Google pages.
Recent Google Ads phishing attacks have used fake Google Ads pages, fake login flows, fake sign-up pages, fake approval screens, and even sites.google.com pages to look more legitimate.
That is dangerous because Google Sites is a real Google product.
But a page on sites.google.com is not the same as the real Google Ads login.
Your team should not search Google for “Google Ads login” and click sponsored results.
Use a saved bookmark.
Type the known URL directly.
And never approve access, reconnect accounts, or enter credentials from a page that was reached through an unexpected ad, email, or message.
Read the Full Blog
We broke this down in more detail here:
In the full article, we cover how Google Ads phishing attacks work, how hackers use Google-lookalike pages and sites.google.com, why MCC hacks are so dangerous for agencies, what Google’s two-admin approval improves, and why API access remains a hidden risk.
If you manage Google Ads for clients, it is worth reading and sharing with your team.
Thank You
This was a difficult week.
We have been managing Google Ads since 2008, and we do not take the trust of our partner agencies lightly.
We are thankful this was caught quickly. We are thankful Google moved fast. We are thankful our team worked through the weekend to review accounts, secure access, and support reconnections.
Most of all, we are thankful for the patience, trust, and support of our partner agencies during a stressful situation.
We will continue strengthening our systems, improving our processes, and sharing what we learn when it can help others avoid the same problem.
Talk to you next week,
Avi
CEO & Chief Wizard