Google Account Security
03/12/2013, By James Giles
Over the last couple of months, two of our client’s Gmail accounts have been hacked, leading to unauthorised access to their AdWords accounts. These hackers were obviously targeting AdWords because, once in the accounts, they set live a paused ad group and added in many broad match keywords, as well as one ad. In both cases, no activity went live, but the accounts were suspended by AdWords.
The AdWords security system in both cases worked well. It identified that there had been malicious activity around the Gmail address and that random keywords were being added into the AdWords account. After AdWords had detected there had been unauthorised access, and changes to the account, the account was suspended. This prevents any other changes to occur and stops all ads being served.
However, the main problem with account suspension is that it can take up to 48 hours before it becomes active again. After accounts are suspended, Google runs a full review of the account to determine how access was gained and what changes were made. All changes are then reverted and any spend that accrued against the malicious activity is refunded.
Often AdWords accounts get set up with a Gmail email and, over time, more people are granted access to the AdWords account. Agencies that manage accounts generally have accounts linked to their MCC’s, so the original Gmail address becomes forgotten about and un-used. If there’s malicious activity around this Gmail account the warning emails are not picked up.
There are some basic steps that you can take to improve security:
1. Check your computer for malware and viruses. To run a malware scan on your computer, please follow the instructions found at https://support.google.com/accounts/bin/answer.py?answer=88072&hl=en_GB.
2. Change the password for your AdWords account. Make sure that you check your computer for malware before changing your password, since malware could capture your password if the malware is still present within your computer.
Here's how to change your password:
Sign in to your AdWords account at adwords.google.co.uk.
Click the "My account" tab and then "Preferences". Click "Edit in Google Accounts".
Click "Change password", one of the first links on the page.
Enter your information in the appropriate fields and then click "Save".
3. For added security, change the Google Account email address. Visit http://adwords.google.com/support/aw/bin/answer.py?hl=en_GB&answer=24828 for instructions.
4. Also consider enabling 2-step verification in your Google Account as an additional security measure. Visit https://support.google.com/accounts/bin/static.py?page=guide.cs&guide=1056283&topic=1056284&hl=en_GB for instructions. This is really useful as any warning messages, e.g. attempts to change your password, are text to the mobile phone number you provide.
If you’re concerned there has been malicious activity around your Google account, you should implement all of the above steps. If you’d just like to improve security, update your password and enable 2-step verification.