At midnight on Jan. 5, hackers took over our Google Ads Manager Account (MCC). We weren\u2019t alone. While it\u2019s hard to get an exact count, hundreds, if not thousands, of agencies have been affected by the hacks, in turn affecting tens of thousands of accounts.\u00a0<\/p>
While I wouldn\u2019t wish this experience on our worst enemy, having been through it, I have some insights that I hope can help you prevent the same experience from happening to your MCC account.<\/p>
How we were hacked<\/h2>
Despite having two-factor authentication (2FA) and allowed domains enabled, the hackers were able to get into our account via an employee\u2019s email address. It was clearly a targeted hack: the night of the hack, the hackers tried to get in via two other email accounts at our company before they succeeded with the third.<\/p>
While phishing or compromised passwords may have originally gotten them into the system \u2014 we still don\u2019t know which \u2014 we later learned that the account the hackers used had been compromised for months and that they had created their own 2FA that they had been using all along.<\/p>
Once they gained access to our account, the hackers removed everyone else\u2019s access to the MCC. They then changed the allowed domain to Gmail and granted access to over a dozen people. The hackers then created a new MCC in our company\u2019s name and invited most of our clients. Luckily, none of them accepted.<\/p>
In the few hours they were in the MCC, the hackers proceeded to create chaos. They removed all the users from some accounts and changed the payment method in others. They launched new campaigns on only a few accounts, yet somehow also attempted half-million-dollar credit card charges on two others (despite not running any ads in those accounts).<\/p>
Your customers search everywhere. Make sure your brand shows up<\/span>. <\/p> The SEO toolkit you know, plus the AI visibility data you need. <\/p> <\/p><\/div> Start Free Trial<\/span> <\/p> Get started with<\/p> We were very lucky. The hackers were locked out within eight hours, and we regained access in just over a week. They spent only about $100 across the MCC. Neither crazy credit card charge went through. We were fully recovered from the hack within two weeks. How did we do this? Let\u2019s take a look at the steps we took.<\/p> When we were hacked, we immediately contacted our reps at Google. We\u2019re incredibly lucky to have wonderful Google reps with whom we\u2019ve built longstanding relationships, including one we\u2019ve worked with for over three years.\u00a0<\/p> These long-term relationships helped, and our reps went to bat for us. They continued to put pressure on the support cases until they were resolved and helped connect us to the resources we needed. Not everyone has their own reps, but you can also take these steps on your own.<\/p> Our Google reps immediately directed us to their \u201cWhat to do if your account is compromised\u201d resource. From there, we filed Account Takeover Forms, alerting Google to the hack. We were directed to file a form for each of our accounts that had been hacked.<\/p> We first filed one for our MCC, even though the form, at the time, said not to use it for MCCs. It looks like that language has since been changed, which is great \u2014 don\u2019t skip this step. Getting back into the MCC makes it easier to resolve all issues, rather than having to file tickets and coordinate access for each account.<\/p> At the same time, we directed any clients who still had access to their accounts to disconnect them from our MCC, and to grant access to a non-compromised email account. That way we were able to secure the accounts, work on them, and mitigate any damages immediately. We were also able to triage our accounts to figure out which we were still able to access, and which had no admins left with access.<\/p> Disconnecting from our MCC wound up being a very important step. That\u2019s because when our accounts were disconnected from the MCC, we were easily able to reset the billing by editing the payment manager and undoing all of the payment chaos that the hackers had created. We were then able to reconnect them without issue.<\/p> When we eventually did get back into the accounts, we immediately checked the change history, which we were able to do at the MCC level for additional speed. All the changes the hackers made during that time were there with time stamps, allowing us to put together a timeline of the hack and remediate any remaining issues.<\/p> <\/p> Get the newsletter search marketers rely on.<\/p> <\/p><\/div> <\/p><\/div> <\/div> <\/p> During all this activity, a few things were especially critical to our success in recovering the account and mitigating damage. Here\u2019s a quick rundown of best practices to keep in mind.<\/p> This isn\u2019t just a best practice, but something we believe should always be the case for ethical reasons. Having additional admins in the account let us regain access immediately, despite being locked out of the MCC, and remediate issues without losing time or momentum.\u00a0<\/p> Google also pushed back on any access or billing changes that didn\u2019t have approval from an existing admin, so having people still in the accounts was critical.<\/p> Remove old clients, and any other MCCs for tools you\u2019re no longer using. We didn\u2019t do this, and wish we had. We\u2019ve made it a best practice for our accounts moving forward.<\/p> Make sure your team only has the minimum access they need. Standard access is great. Admin access should be reserved for as few people as possible. The compromised account belonged to a junior team member who didn\u2019t need admin-level access.\u00a0<\/p> This isn\u2019t to say they wouldn\u2019t have gotten in through a more senior team member\u2019s account \u2014 as mentioned, they did try to get in through several before succeeding \u2014 but it would have mitigated risk.<\/p> Never <\/strong>connect your bank accounts to your MCC. We\u2019ve heard of companies that have lost hundreds of thousands of dollars with this same kind of hack. Because our clients were all either on invoice or credit cards, the hackers couldn\u2019t quickly spend money in a way that hit their accounts.\u00a0<\/p> As noted earlier, the credit card companies rejected the very suspicious half-million-dollar charges the hackers attempted to make, and notified the credit card holders. The clients we were invoicing were never charged, and everything was captured on the invoices before billing.<\/p> It\u2019s important to invest in your relationships with your Google reps, and fellow agency owners. We remain incredibly grateful to all of the people who helped us, or even just commiserated with us along the way. This experience would\u2019ve been even more painful if we\u2019d had to go through it alone.<\/p> For those who have yet to be hacked, congratulations! Let\u2019s try to keep it that way.\u00a0Here are some things you can do to make it much less likely that this will ever happen to your accounts.<\/p> Begin by kicking every single user out of your account, and have everybody on the accounts reset their passwords. Make sure you log everyone out of every session they were in on every device.\u00a0<\/p> Our hackers were sitting around auto-logging in and keeping their sessions open for over two months prior to the night they took over the MCC. If we\u2019d forced a reset and logged everyone off, we would\u2019ve removed their access without even realizing it.<\/p> Make sure there\u2019s only one 2FA per person. 2FAs that use authenticators or physical keys are better than pinging a device. The hackers had created their own 2FA to get into our employees\u2019 accounts, and we never even had an idea that it was happening.<\/p> Make sure the minimum number of people have the minimum access they need to the MCC. This reduces your risk.<\/p> Google rolled out this new feature quite recently to help prevent account takeovers. Essentially, the feature requires that a second admin verifies any big changes before they happen. If you\u2019d like to read up on this feature, here\u2019s a great guide introducing multi-party approval.<\/p> You can copy and paste your accounts into your preferred spreadsheet app via Google Ads Editor. Make a habit of doing this periodically so that you\u2019ll always have a copy of how things were in case of a hack. With the backups, you can easily revert back if you need to.<\/p> It\u2019s important to use unique passwords that aren\u2019t being used anywhere else. That way, if one site gets hacked, your MCC is still not at risk. We\u2019re still not sure how the hackers passed the initial password stage to be able to create their own 2FA.<\/p> If you want to be extra careful, invest in security software and\/or a cybersecurity expert to monitor your system. We have now done this, and it\u2019s been amazing (and scary) to see how many phishing attempts have already been caught in the six weeks since we did it.<\/p> A note for clients: <\/strong>If you\u2019re a client and another team is managing your Google Ads, do not accept any Google Ads MCC access requests that you aren\u2019t expecting. Please make sure you always know who and what you\u2019re giving access to. When in doubt, double-check with the team that is managing your account. A little caution can go a long way.<\/p> See the complete picture<\/span> of your search visibility. <\/p> Track, optimize, and win in Google and AI search from one platform. <\/p> <\/p><\/div> Start Free Trial<\/span> <\/p> Get started with<\/p> The good news is that Google knows about these issues, and is actively finding ways to tighten their systems to prevent hacks. In the meantime, I hope this article has helped make our loss your gain. With an ounce of prevention, you\u2019re likely to prevent a pound of pain.<\/p> <\/div> Contributing authors are invited to create content for Search Engine Land and are chosen for their expertise and contribution to the search community. Our contributors work under the oversight of the editorial staff and contributions are checked for quality and relevance to our readers. Search Engine Land is owned by Semrush. Contributor was not asked to make any direct or indirect mentions of Semrush. The opinions they express are their own.<\/em> <\/p> Opinion#Google #Ads #MCC #hacked #Heres #immediately1776441394<\/p> ","protected":false},"excerpt":{"rendered":" At midnight on Jan. 5, hackers took over our Google Ads Manager Account (MCC). We weren\u2019t alone. While it\u2019s hard to get an exact count, hundreds, if not thousands, of agencies have been affected by the hacks, in turn affecting tens of thousands of accounts.\u00a0 While I wouldn\u2019t wish this experience on our worst enemy, […]<\/p>\n","protected":false},"author":1,"featured_media":6678,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[18],"tags":[152,75,14402,2280,16105,24933,155],"class_list":["post-6677","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-careers","tag-ads","tag-google","tag-hacked","tag-heres","tag-immediately","tag-mcc","tag-opinion"],"acf":[],"_links":{"self":[{"href":"http:\/\/longzhuplatform.com\/index.php?rest_route=\/wp\/v2\/posts\/6677","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/longzhuplatform.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/longzhuplatform.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/longzhuplatform.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/longzhuplatform.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6677"}],"version-history":[{"count":0,"href":"http:\/\/longzhuplatform.com\/index.php?rest_route=\/wp\/v2\/posts\/6677\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/longzhuplatform.com\/index.php?rest_route=\/wp\/v2\/media\/6678"}],"wp:attachment":[{"href":"http:\/\/longzhuplatform.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6677"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/longzhuplatform.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6677"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/longzhuplatform.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6677"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}![\"Semrush](\"https:\/\/searchengineland.com\/wp-content\/seloads\/2025\/11\/semrush-one.webp\" "\\"Google")
<\/div> <\/p><\/div> What happened after the hack<\/h2>
Step 1: We contacted Google<\/h3>
Step 2: Fill out the forms<\/h3>
Step 3: Contact clients<\/h3>
Step 4: Reset billing<\/h3>
Step 5: Check change history<\/h3>
Best practices for recovering from a hack<\/h2>
Make sure clients have access<\/h3>
Keep your MCC clean<\/h3>
Limit team access<\/h3>
Use credit cards or invoices<\/h3>
Invest in relationships<\/h3>
How to prevent being hacked<\/h2>
Start with a clean reset<\/h3>
Enable 2FA and allowed domains<\/h3>
Audit and limit access<\/h3>
Enable multi-party approval<\/h3>
Back up your accounts<\/h3>
Use strong passwords<\/h3>
Invest in security monitoring<\/h3>
<\/div> <\/p><\/div> Stay safe out there<\/h2>