Securing Your Business: Lessons from a Google Ads Account Breach

There aren’t a lot of good reasons for a 4:30 a.m. phone call, as Shop Marketing Pros Founder Brian Walker found out last December. It was his wife, Kim, with some deeply unpleasant news—Shop Marketing Pros’ Google Ads account had been hacked, with the Walkers and other legitimate administrators demoted while malicious actors took control of the more than 200 connected accounts.

“Once you’re removed, it’s too late; there’s nothing you can do about it,” Brian says. “My wife, who gets up early every morning, saw the notifications from our ads manager and woke me up. I was on the phone with Google by 5:00 a.m. At that point, Google could have simply removed the intruder from our account and restored our access. There would have been only dollars’ worth of damage at most, but instead, they allowed this person to stay in the account for eight straight days.”

Backstory: 

Making the situation more frustrating was the fact that the Shop Marketing Pros team had followed all of Google’s recommendations for security, including two-factor authentication. As it turns out, that didn’t make much of a difference.

“Through this process, we learned that Google’s two-factor authentication is absolute garbage. These hacks happen all the time; they’re never-ending,” Brian says. “We’ve since helped other agencies that have been hacked. All of us were following the security protocols Google tells you to have in place, but now we’ve gone way beyond that. We had 233 Google accounts connected to our main My Client Center account, which is the one that was compromised. Hackers target agency accounts like that because they can gain access to a massive number of accounts at once.”

Problem: 

While the hackers didn’t have direct access to the credit cards and bank information connected to the accounts, they could still charge those accounts for hundreds of thousands of dollars of malicious ads for fake websites.

“We had clients going to sleep with overdrawn accounts. The banks reversed the charges and refunded the money by the next day, but it still caused immense stress,” Brian says. “The only permanent damage was the missed opportunity cost during that time.”
Every member of the Shop Marketing Teams hopped into action, reaching out to Google in as many ways as possible and pushing for a successful resolution. Hallie Wasinger, Shop Marketing Pros COO, was on the frontlines for the entire debacle.

“We could see everything the hackers were doing, but we couldn’t stop it for eight days,” Wasinger says. “By leaving us with read-only access, it prevented Google from escalating the case as a ‘complete takeover’ of the account.”

Solution: 

The Walkers got in contact with their senator’s office, who helped escalate the issue and got them in direct contact with a Google executive. Eight days later, they regained access, but the Shop Marketing Pros’ team’s work had only just begun. Wasinger and the ads team had to rebuild everything the hackers destroyed over those eight days.

“Google told us they could ‘revert’ our accounts to the day before the hack, which sounds great in theory, but it didn’t return everything to normal,” Wasinger says. “They left the hackers in all of our accounts; they just downgraded the hackers’ access to read-only and re-established Brian and me as admins. We had to go through every single account manually to remove them.”

Making matters worse was the fact that the hackers had created countless new fraudulent ad campaigns attached to the account. Google cancelled those campaigns when they restored Shop Marketing Pros’ access, but they weren’t deleted or removed. Instead, they stuck to the account and eventually triggered automatic policy violations. Wasinger had to submit and resubmit appeals, although the escalation team they were working with eventually just stopped responding altogether.

Aftermath: 

With the official security recommendations falling short and other companies reporting hacking incidents, the Shop Marketing Pros team set out to create their own security protocols.

“To shore up our security, the primary thing we did was move to a hardware key for two-factor authentication,” Brian says. “It requires a physical touch on a metal contact to authenticate; a remote hacker can’t bypass that. We also set up obscure, separate email addresses for admin logins that we don’t use for anything else. They have to have the secret email address and the physical hardware key. This goes way beyond what Google recommends.”

Shop Marketing Pros also split their clients into different, smaller groups to better isolate any potential hackers’ access. They also moved all of their clients’ ad budgets to cards that they own rather than clients’ cards or accounts, allowing the Shop Marketing Pros team to shut off a card and stop fraudulent spending instantly.

“Our clients are now the most protected in the industry,” Brian says. “Putting ad budgets on our own cards is a massive accounting pain—I had to hire two people just to manage it—but it’s a major commitment to their security.”

Takeaway: 

“To prevent this from happening, make sure you have two-factor authentication on,” Wasinger advises. “We see so many clients who don’t have it or have old employees who still have access. Also, use a dedicated credit card or virtual card just for Google Ads so you can shut it off without affecting your whole business.”

At the end of the day, the reality is that Google is thousands of times bigger than any auto shop. Despite controlling the entire advertising environment, Google’s help won’t get faster or more comprehensive.

“To Google, hundreds of thousands of dollars is a fraction of a penny,” Wasinger says. “They do not care; it’s on you to protect yourself.”