(13)
Over the past month or so, I have been noticing a larger volume of reports of advertisers claiming their AdWords accounts were compromised. Here is a recent thread at WebmasterWorld plus Jeremy Mayes, a seasoned PPC guy, was also compromised. There are many other newish threads with people reporting this issue and one of my accounts was even compromised a couple weeks ago.
Google handles this process very well. In fact, they alert you of the weird charges. They pause your account and ask you to change your passwords. They calm you and guide you through the security steps you should take. Also, they credit you for the false ads that the hackers created to generate leads to their sites.
But the number of these reports, from advertisers who I know are extremely careful about browser security and password security, has been climbing recently.
Tamar wrote a post about a month ago, named Google AdWords Account Hacked: False Ads & False Charges and Jeremy's PPC Discussions has an excellent roundup on what to do when you have been compromised.
My concern? That there is a loophole that gives someone access to your account, without knowing your password. Maybe through the API, maybe through AdWords Editor or maybe through some type of web security exploit. I might be a bit over dramatic on this concern but I just have a feeling (that is all I have, a feeling, no evidence) that there is some type of loophole, somewhere.
Forum discussion at WebmasterWorld.
Comments:
Arthur
09/23/2008 01:04 pm
This is scary, and at the same time just timely information because I am just about to reactivate my Adwords account. Maybe I'll hold on for a while and let the issue pass first.
No Name
09/23/2008 05:33 pm
Yep, I had the same thing happen to one of my AdWords accounts where a user hijacked some ads pointing them to a website in Asia that contained malware. Google was very good about handling this situation though a little slow. My concern, too, is the fact that I am the only one that logs into the account that had been compromised and am very careful with it (i.e., not falling for phishing schemes, using secure passwords, etc.) I still wonder how they got access...
Darren
09/24/2008 04:48 pm
I, too, had a client's account hacked. Within 24 hours, he had run up over $2500 worth of $6 clicks to a CPA loan site. Google, so far, has been very helpful. I hope these issues aren't getting worse! Thanks for the update! D. Barkett www.creative-emarketing.com
Diamonds
09/24/2008 05:36 pm
Wow! this is very scary, $6 per click. Thanks for this post, we'll keep an eye on our account. A month ago received an email that my credit card was expiring and i had to change my cc info but never clicked on the link in the email since i knew my card was not gonna expire in the next few months. But this could all be an inside job issue.
MGA
09/24/2008 06:28 pm
Thank you for the article and comments. I wasn't aware of such an issue before. I'll keep my open and pay attention to absurd charges.
GC
09/25/2008 06:30 pm
Just bought in to 'adwords' - hope there isn't any truth to this.
Michelle
11/20/2008 01:37 am
I too had my account compromised on the 3 November. I suddenly had a charge for £1000 on adverts at £10 per click to a loan company in the USA. Unfortunately Google have not been helpful to date and suggested I request recovery from my bank. Any helpful comments would be appreciated
Patrick
12/10/2008 10:30 pm
This happened to us. A couple of notes; - We have been running PPC campaigns since 2000. We are not "newbs". - We have up to date spyware/virus software on all of our PC's. We run phishing protection within our FF browsers and do not use IE. - Since the event, we rescanned all machines that could have been involved and found nothing. Google has been pretty slow. They didn't notify us of it at first (we found it, which was lucky because it was well hidden in one of our many, large accounts). Once we did get in touch with them, the suspended the account in question. So now, our clients ads are offline while they investigate. No ETA, no way to generate business. In general, the attack was very clever in that they enabled the campaign late at night, hid it within our existing campaign structure (i.e. used our naming convention), deleted a campaign with the same name, ran it only at night over the weekend, and used a temporary domain registration to divert traffic to a paydayloan company. We have not reached resolution with Google, but I am very much of the mind that there is a whole in the system somewhere. While it is possible that the password was stolen, it is unlikely. It was recently updated as part of an ongoing security process and was not shared beyond one user (all users have their own logins). I will keep you posted on the outcome.
Annieb
12/15/2008 01:01 pm
I do not even have an Adwords account, but I have had 4 fraudulent charges from Google Adwords, totalling about $500. I KNOW I have not been phished - I am extremely suspicious of all links in emails. I regularly run a malware scan, so that is also unlikely. Scary!
Kratom
01/22/2009 12:21 am
One has to wonder if Google will ever know or admit to how Michelle's adwords account was compromised. A cautionary tale indeed.
Blake K
06/02/2009 03:04 pm
Google just notified me my adwords account was hacked. I don't know the damage yet, but having been online since 1994, I don't fall for phishing emails and I keep my computers clean. Kind of worrying. They do seem pretty on top of things so far, though.
Carlos
06/06/2009 02:34 pm
Just happened to me too. They ran up about $4000 in charges in just a matter of a couple hours. I've been doing a lot of updating recently and caught it quickly, but it's scary how fast they can run up the bill. Google never alerted me and I have not heard back from them yet on this issue.
Michael
07/19/2009 03:01 am
You can add us to the list too. $14,000 of ads to budget plane ticket sites (via a redirect) between Friday night and Saturday morning. Being over the weekend we can't even speak to Google until Monday morning...