About account activity change logs
This article is a comprehensive glossary of the actions and status updates that may appear in your account activity change logs. Whether you’re performing a routine audit or reviewing a security cleanup, use these definitions to understand the changes made to your account.
On this page
Column definitions
Refer to the table below for an explanation of what each column in your account activity log represents.
| Column | What it means |
| Activity |
The specific change made to the account, like creating a campaign or adding a user. |
| Associated user |
The email address of the user that performed the activity. If this field is blank, the action was performed by a system process or a Google automated security protocol. |
| Security action taken |
The immediate, automated step Google took to stop further risk, like pausing an unauthorized campaign. |
| Time of action |
The exact timestamp of when Google’s security systems intervened. |
| Action during cleanup |
The final resolution step to restore the account to its original state. This may require manual verification or additional actions from you. |
|
Cleanup status |
This status will show whether the cleanup has been completed or if further action is required from you. |
Action types
The account activity log tracks several categories of changes. Refer to the table below for an explanation of what each "action type" means.
| Category | Action | What it means |
|
Campaign |
Campaign paused or deleted |
If a compromised user created a campaign, Google likely paused it immediately to stop ad spend. During cleanup, these are often deleted permanently. |
|
Access and permissions |
Downgraded to read-only |
Access is immediately restricted for suspicious users so they can’t make further changes while an investigation is pending. |
|
Remove user |
Unauthorized users are purged from the account during the cleanup phase. |
|
|
Revert role |
If a compromised user changed a legitimate user’s permissions, like changing an Admin user’s access level to Read-only, Google attempts to restore those permissions back to the original state. |
|
|
Linking and invitations |
Invitation revoked |
Any pending invites sent by an unauthorized user are revoked before they can be accepted. |
|
Relink MCC |
If a compromised user unlinked your Manager Account, the cleanup action involves re-establishing the link to that account. |
|
|
Payment and billing |
Remove payment profile |
If an unauthorized billing profile was added, it’s flagged for removal to prevent fraudulent charges or credit card testing. |
|
Relink payment profile |
If your legitimate billing setup was disconnected, you may need to manually re-confirm the link to your payment profile so your ads can serve again after the account is secured. |
Cleanup status
The "Cleanup status" column indicates the final result of the security intervention. While security actions happen immediately to stop a threat, the cleanup phase is what restores your account to its proper state.
| Status | What it means | Your next step |
|
Successfully completed |
Google successfully reverted the change or removed the unauthorized element on your behalf. |
No action needed |
|
Advertiser review needed |
Google has paused or held a change to protect your spend. Verify the settings are correct before resuming activity. |
Action required Manually check your settings like budgets or URLs and resume or edit as needed. |
|
Failed |
The automated cleanup tool can’t complete the restoration. For example, the tool may fail to complete cleanup if a technical conflict prevented a user re-invite. |
Action required If you notice a "Failed" status, review the "Action during cleanup" column for that row and perform the steps manually to make sure your account is fully secured and operational. |
|
N/A |
No change needed. The initial security action already addressed the risk. For example, an invitation was revoked before it was accepted, so no further action is required. |
No action needed |
What to do if a cleanup step fails
In some scenarios, Google’s automated systems may not be able to fully restore certain items in your account. For example, a technical conflict might prevent the system from automatically re-inviting a legitimate user who was removed during the period that your account was compromised.
If this happens, the "Cleanup status" will show as "Failed" and you’ll need to perform that action manually by following these steps:
- Review the "Action during cleanup" column to learn what went wrong.
- Perform the requested action manually.
Completing these manual steps ensures your account structure is fully secured, your team has the correct access, and your campaigns are ready to run safely.