AdWords account hijacking
In recent weeks we have had two client accounts on AdWords “hijacked.” Someone was able to discover or hack the passwords for two different email logins, presumably either by inadvertent disclosure or use of weak / easy-to-guess passwords. Campaigns were created that targeted keywords related to screen savers and loans, and the ads took users to throw-away domains. In both cases, Google notified us within 48 hours of the initial hacking and disabled the accounts, but after several thousand dollars had been “spent.” While clients may be eligible for credits or refunds, it can take some time to resolve all issues.
We strongly recommend taking several steps to reduce the likelihood of someone stealing your passwords:
- Use strong passwords that include letters, numbers, and mixed case, and make them at least 8 characters long. There are many online resources that help you come up with secure passwords that are easy to remember. Better yet, use a tool like Keepass to create really strong passwords that you don’t have to memorize.
- Don’t email passwords or send them over IM. Assume that someone else can and is reading your correspondence as these are generally not secure.
- Create separate logins for everyone that will use your AdWords account so that they each can have their own passwords (you won’t be tempted to email them) and you can more easily track down problems should they arise.
If you suspect that your account has been hijacked, the first thing to do is change your password, then pause the offending campaigns, and then contact Google Support. All three should be done immediately to mitigate damage.