Statement on Google Ads Security Breach

Dear Clients and Partners,

On Thursday, May 22, 2025, we identified unauthorized ad campaigns running in 18 Google Ads accounts managed under our MCC. These campaigns were not created or approved by our team and were launched simultaneously across multiple client accounts using high daily budgets.

What Happened

Our investigation indicates that one of our authorized user accounts was compromised—likely through session hijacking or credential theft. While we have found no evidence of phishing or malware, the behavior and timing suggest a targeted breach intended to exploit administrative access. This incident was not caused by negligence or mismanagement, and thanks to our internal systems, we were able to detect the activity quickly and shut it down before it escalated.

Actions Taken

• Paused and removed all unauthorized campaigns immediately

• Filed detailed incident reports for each affected account with Google

• Reset passwords and forced logout for all admin-level users

• Revoked access tokens and terminated active sessions

• Audited account change history and user permissions across the MCC

• Blocked all unapproved third-party app access within our Workspace

• Verified that 2-Step Verification is enforced across all users

• Implemented new policies for account access monitoring and third-party authorization

Financial Impact

While most affected accounts incurred minimal charges, one account experienced a fraudulent charge of $354. The campaigns were created with daily budgets as high as $50,000, so our ability to catch and stop them quickly was critical. Google has confirmed that refunds will be issued for all verified fraudulent charges.

Broader Industry Context

Incidents like this are becoming increasingly common. Multiple sources across the ad tech and cybersecurity communities have reported similar cases in which Google Ads accounts—often with 2-Step Verification enabled—were compromised through advanced attack methods, including session hijacking, browser-based exploits, and access token abuse. In many of these cases, attackers gained temporary control of accounts to launch high-budget campaigns promoting fake products or services. If that sounds familiar, it’s because that’s exactly what happened in our case.

These trends highlight how sophisticated and aggressive these attacks have become, and reinforce the importance of layered security and fast detection. Here are several examples:

• “Malvertising” Campaigns Targeting Google Ads Users
  Cybersecurity researchers have identified “malvertising” schemes where attackers impersonate Google Ads to redirect users to fake login pages, stealing credentials and two-factor authentication codes.

• Hijacking of Google Ads Accounts via Phishing
  Reports indicate that scammers create fraudulent sponsored search links, leading ad buyers to fake Google Ads login pages, resulting in account takeovers.

• Rise in Google Ads Account Hijacking
  There has been an increase in incidents where cybercriminals hijack Google Ads accounts by creating fake login pages to steal credentials, subsequently running unauthorized ad campaigns.

• Malvertising Through Google Ads
  Malvertising campaigns have exploited Google Ads to distribute malware, exposing sensitive user and corporate data to unauthorized access.

• Google Ads Exploited in Cyberattacks
  Attackers have been known to steal login details and two-factor authentication codes to gain unauthorized access to Google Ads accounts, adding new administrators and misusing ad budgets.

Ongoing Commitment

We are in continuous communication with Google and are pushing hard for swift reinstatement of all suspended accounts. In the meantime, we’ve reinforced our security posture across every level of our organization. Protecting your ad accounts and your trust remains our top priority, and we will continue to take every step necessary to ensure this never happens again.

Thank you for your continued support and understanding.

—Scott
K9 Cloud