Over the past month or so, I have been noticing a larger volume of reports of advertisers claiming their AdWords accounts were compromised. Here is a recent thread at WebmasterWorld plus Jeremy Mayes, a seasoned PPC guy, was also compromised. There are many other newish threads with people reporting this issue and one of my accounts was even compromised a couple weeks ago.
Google handles this process very well. In fact, they alert you of the weird charges. They pause your account and ask you to change your passwords. They calm you and guide you through the security steps you should take. Also, they credit you for the false ads that the hackers created to generate leads to their sites.
But the number of these reports, from advertisers who I know are extremely careful about browser security and password security, has been climbing recently.
Tamar wrote a post about a month ago, named Google AdWords Account Hacked: False Ads & False Charges and Jeremy's PPC Discussions has an excellent roundup on what to do when you have been compromised.
My concern? That there is a loophole that gives someone access to your account, without knowing your password. Maybe through the API, maybe through AdWords Editor or maybe through some type of web security exploit. I might be a bit over dramatic on this concern but I just have a feeling (that is all I have, a feeling, no evidence) that there is some type of loophole, somewhere.
Forum discussion at WebmasterWorld.