Your Title Here <data:blog.pageTitle/>

Saturday, September 20, 2008

My Personal AdWords Account Hacked

I had an AdWords account of mine hacked on September 18th. I had not logged directly into this particular AdWords account in a long time, at least 6 months. I do access it occasionally but always via my MCC login. Whoever hacked the account accessed it using the primary login, not the MCC. I'm really at a loss as to how the account was compromised. I use strong passwords and take a lot of precautions like making sure I'm only logging in from secure environments.

I have to give credit to Google's systems for detecting the unusual activity and disabling the entire account before any charges were incurred. None of the campaigns created by the hacker every received a single impression - even though they had high daily budgets and CPC's associated with the keywords they had added to the account.

The purpose of this post is just to serve as a reminder to everyone with an AdWords strong is your password and when is the last time you changed it? While I was very fortunate...that might not be the case for everyone. The person who hacked my AdWords account could have changed my password and locked me out...that didn't happen. I was also very fortunate that this was not a business or client account, it's really more of just a hobby account I use for testing and other non-critical AdWords related projects.

If you find that one or more of your AdWords accounts has been hacked here's what to do:

It's assumed the computer(s) you use to access your AdWords account(s) are free of viruses and spyware and that your connection to the Internet is secure. If that's not the case even after following the steps below there is a possibility your AdWords account will still not be secure.

1. If you can still access the hacked account change the password right away. Make sure to create a strong password.

2. Pause/delete the campaigns that were modified or added by the hacker.

3. Contact AdWords Support. If you discover your account has been hacked during Google's business hours call them immediately at 1 (866) 246-6453 and then follow up with an e-mail so there's a written record of your report (very important). If it's outside of business hours send a message to the AdWords team via the contact form. You can also try and make contact via the "chat with a specialist feature which is here.

4. Change all of your other important passwords. If your AdWords password has been compromised the possibility exists that other passwords you use have been compromised as well.

There are a lot of different ways an account could have been compromised. The following links provide additional information and advice for people who have had an AdWords account hacked:

- Google AdWords Account Hacks Via Computer Exploit

- Google AdWords Account Hacked: False Ads and False Charges

- Protecting Your Google AdWords Account From Fraud

- What to do if I Think Someone's Hacked my AdWords Account

- Your Gmail Account (Google Account) Can be Hacked: Here's How to Protect it

- A Kidnapped AdWords Account

- How to Avoid Getting Hooked

- AdWords Hackers - What a Nightmare

- Locked out of AdWords Account



At 7:37 AM, Blogger CustardMite said...

The same thing happened to me not so long back (you may have seen my post on DigitalPoint).

In my case, it was a login that applied only to Adwords, on a single account, that I hadn't used to log in for over a year (on a computer that has since died). It seems implausible to me that somebody got the details using spyware, then sat on it for over a year before using it.

And one of our clients had their account hacked, despite the fact that they've never logged in (we set them up with access, but they never used it).

I can only think that somehow, somebody is hacking short passwords, and as a result, all of my passwords are now at least ten characters...

At 7:49 AM, Blogger Jeremy Mayes said...

Hey Custardmite,

The account had a password with more than 10 characters and used letters and numbers. I suppose even then it's hackable. Even though I saw your post a month+ ago on DP I never changed the password the AdWords account I posted about:-(

The lesson learned for me is strong passwords or not, I'll be changing all of my passwords much more frequently.

At 8:55 AM, Anonymous Quality Nonsense said...

My AdWords account just got hacked this week. Like yourself, I had a long password with mixed cases, numbers etc.

The last time I checked my account on someone else's machien must have been six months ago.

Google have yet to shed any light.

At 5:48 AM, Anonymous Anonymous said...

You might have a trojan/keylogger on your client PC/Mac, or on any public PC you've used to access this - some keylogger trojans, e.g. Mebroot/Sinowal, are hard to detect. They grab so many passwords for banks, credit cards, etc, that it's quite likely they didn't bother using your Adwords password.

There are other possibilities e.g. that Google Adwords as a whole was hacked or otherwise compromised, but that seems much less likely and would be far more wide spread.

At 5:51 AM, Blogger CustardMite said...

Don't see why, if I had a keylogger or something similar, they wouldn't use my up-to-date username and password, which would give them access to all of our clients' accounts.

This was a password for one account only, that I hadn't used in a very long time. It seems unlikely that somebody would sit on a hacked account for over a year before using it...

At 8:07 AM, Blogger Jeremy Mayes said...

Ditto on what custardmite said.

I don't use public computers, I always have my laptop when traveling and use one of my office desktops while at home. All of my pcs are fully up to date in terms of windows updates, anti virus & spyware. I also use hardware and software firewalls. I guess it's possible that I had (and guess would still have since I've never removed it) a virus or something but if I had to bet I would bet against that.

Personally, I think the outbreak of accounts being hacked we've seen over the last few months might be an inside job. Sounds crazy but based on everything I've seen it's the most logical explanation I've heard...

At 4:16 PM, Anonymous Myke said...

I got hacked in July. I hadn't looked at the campaigns in detail in several weeks.

I suggested to the Adwords team that when the daily budget changes dramatically (in one campaign the hacker changed it from $5 to $5000), please drop me an email.

Google could save everyone a lot of busywork if they notified us when outlier changes are made to an account.


Post a Comment

PPC Discussions Home

Subscribe to this site About PPC Discussions

PPC Discussions is a blog about paid search authored by Jeremy Mayes, a search marketer from Illinois.

Subscribe to PPC Discussions via e-mail


PPC Search Engines

The Big 3 in PPC

Subscribe to this site Previous Posts

PPC Discussion Archives

Subscribe to this site Miscellaneous

Add to Technorati Favorites

Powered by Blogger