Paid Ads

Agencies Lost Millions to Google Ads MCC Hijacks That Google Never Detected

Most agencies have never stress-tested what happens when someone else gets the keys to their MCC.

Every agency using Google Ads has had the same thought at some point: if someone hijacked our MCC tomorrow, would we even know before the damage was done?

The honest answer, based on the last 18 months of reported incidents, is probably not. And Google wouldn’t catch it for you either.

An investigation by AdExchanger found that across three affected agencies, all of them self-reported the breaches to Google. Google didn’t detect any of them proactively. One of those agencies manages a nine-figure annual budget with Google. Two lost millions. Neither got full refunds.

If that doesn’t get your attention, I’m not sure what will.

What an MCC Hijack Actually Looks Like at Midnight

A detailed account published by Search Engine Land walks through one agency’s experience from start to finish, and it reads less like a security incident and more like a home invasion.

The attackers compromised an employee’s email account. They had tried three different company email accounts before finding one that had been “sitting around auto-logging in” for over two months. Once inside, the sequence took about eight hours:

They removed every other user from the MCC. Changed the allowed domain from the agency’s domain to Gmail. Granted access to over a dozen unauthorized accounts. Created a fake MCC using the agency’s actual name. Changed payment methods across client accounts. Launched new campaigns. Attempted half a million dollars in charges on two accounts.

The two large charges got rejected by the credit card companies, which is the only reason the actual fraudulent spend stayed under $100. But the financial damage is almost beside the point. The agency was locked out for a full week. Campaigns went dark. Client data was exposed to unknown actors. The cleanup took significantly longer than the attack.

Andrew Goodman, president of Page Zero Media, told MediaPost the attacks have been coming as “a steady stream for 12-18 months.” This isn’t a one-off. It’s a pattern, and from what I can tell, it’s accelerating.

Two-Factor Authentication Isn’t the Safety Net You Think It Is

The agency in the Search Engine Land report had two-factor authentication enabled. They had allowed domains configured. The attackers got through anyway.

In several documented cases, hijackers aren’t stealing passwords in the traditional sense. They’re sending phishing emails that mimic Google’s own account-access invitations so precisely that the recipient clicks through, signs into what looks like a legitimate Google page, and approves access for what appears to be a routine admin user or OAuth app. By the time 2FA kicks in, the attackers already have what they need.

We covered one version of this last week, where agencies were getting fake client inquiries submitted through their own contact forms. Pauline Jakober at Group Twenty Seven flagged one where the sender’s domain had been registered just three days earlier. The formatting was nearly perfect.

I think most agencies assume 2FA makes this someone else’s problem. From what I’ve seen in the last year of reporting on this, that assumption is getting people burned.

Google’s Response Has Been... Measured

Ginny Marvin, Google Ads product liaison, offered the standard line to MediaPost: “While we proactively monitor for unusual account activity to stop these incidents, advertisers must remain alert.”

Proactive monitoring that didn’t catch any of the three breaches documented by AdExchanger. That’s a rough look.

To be somewhat fair, Google did launch multi-party approval for Google Ads in early February 2026. It’s a real security improvement: when an admin tries to add or remove users or change roles, a second admin has to approve the change. If nobody responds within 20 days, the change is blocked automatically.

Here’s the problem. It’s not on by default. Most agencies I’ve talked to either don’t know it exists or haven’t gotten around to enabling it. And it only covers user access changes, not billing modifications or campaign creation. So if an attacker already has access, multi-party approval won’t stop them from running up your clients’ credit cards.

It’s a good feature. It’s also not the complete fix that the scale of this problem demands.

The 15-Minute Security Audit Every Agency Should Run Today

I’m going to be specific here because vague advice like “review your security posture” is worth roughly nothing.

Open your Google Ads MCC right now. Go to Admin, then Access and security. Count the users with admin-level access. If you can’t immediately name every single one and confirm they’re a current employee, you have a problem that takes about four minutes to fix.

Here’s the full checklist:

Access cleanup (5 minutes). Remove any user you don’t recognize or who no longer works at the agency. Remove any generic shared-login accounts. If someone needs access, they get their own account.

Enable multi-party approval (2 minutes). It’s under Access and security in the Admin menu. Turn it on. This means no one person can add an unauthorized user to your MCC without a second admin signing off.

Authentication check (3 minutes). Confirm every user has 2FA enabled with an authenticator app or physical key, not just device pings. Check that nobody has duplicate 2FA methods configured. If anyone is still using SMS-based verification, fix that today.

Payment method audit (3 minutes). Verify every payment method on every client account. If any account is connected to a bank account rather than a credit card, consider switching. Credit cards have fraud protections that bank transfers don’t. Check that payment manager access is limited to people who actually need it.

Backup (2 minutes). Download your account structures through Google Ads Editor. If you get locked out, this is how you rebuild without starting from zero.

That’s 15 minutes. Maybe 20 if your MCC has been accumulating users since 2019 like most agencies I know. The agency in the Search Engine Land report said it plainly: “With an ounce of prevention, you’re likely to prevent a pound of pain.”

Why the Recovery Process Is the Real Story

The attack itself lasted eight hours. The recovery took a week. For the agencies in the AdExchanger report, some client accounts were still locked months later.

That gap is the part that should concern you. Getting hacked is bad. Having no idea how to get back in, who to call at Google, or how to communicate the situation to clients is worse.

If your agency doesn’t have a documented incident response plan for an MCC compromise, you’re in the same position as every agency that’s already been hit. They didn’t have one either. The ones who recovered fastest had an existing relationship with a Google rep they could contact directly. The ones who relied on standard support channels waited for weeks.

The wave of mass ad disapprovals Google Ads saw recently was a different problem, but it exposed the same vulnerability: when something goes wrong in your Google Ads account, the speed of resolution depends almost entirely on whether you have a direct contact at Google or are stuck in the general support queue.

Start with the Admin List

I don’t think most agencies will get hacked. But I think most agencies would handle it badly if they did. That’s the gap worth closing, and it starts with a task so boring that nobody wants to do it: open your MCC, look at who has access, and remove everyone who shouldn’t be there.

The agencies that got burned weren’t small shops with sloppy security. They were managing millions. The difference between them and you isn’t that they were careless. It’s that the attackers only need to find one dormant email account that auto-logs in, one OAuth approval that looks routine, one moment where someone clicks before thinking.

Fifteen minutes today. Or a very bad week sometime later. Not the most exciting pitch, but probably the most honest one.

Notice Me Senpai Editorial