What to do if your account is compromised

If we think your Google Ads account has been compromised for any reason, your Google Ads account will be temporarily suspended to stop your ads from serving. To minimize any potential damage, your Google account may also be disabled. You won’t be able to use any products associated with that Google account, such as YouTube or Gmail, until the issue is resolved. Learn more about Google Ads account suspensions.

This article guides you through the steps to regain access to your account and what you need to do before you begin operations again.

On this page

1. Report your compromised Google Ads account
2. Recover and secure your account
3. Review your account data and settings
4. Reinforce your account’s security
5. Request reimbursement

1. Report your compromised Google Ads account

If you believe your account has been compromised, Report your compromised account to Google Ads as soon as possible.

Summarize the timeline of unauthorized changes and the login credentials you think are compromised. If you still have access, view the change history of your account to determine details and identify changes that you don’t recognize.

Gather the following information before you report your account as compromised:

• Specific timestamps from the change history that show unauthorized access like any unauthorized user additions
• Unauthorized Manager Account IDs linked to the hierarchy
• Evidence of budget increases or automated rules that deviate from historical management
• Your current IP address for verification

2. Recover and secure your account

Follow the guided steps to recover your account. You'll be asked some questions to confirm it's your account. Learn more Tips to complete account recovery steps to help expedite this process.

If you report unauthorized activity or Google detects suspected unauthorized activity in your account, we will investigate the event. If unauthorized activity is confirmed, Google will immediately move forward with securing your account.

When Google secures an account, our security systems automatically take immediate, comprehensive actions to stop the unauthorized activity.

These actions include:

• Temporary account suspension: The account will be suspended while we secure the account. The timeline for lifting this suspension will differ depending on the compromised activity.
• Campaign pausing: We will only pause campaigns that were created or modified by the unauthorized user. All of your other untouched campaigns will continue running as normal. We will not delete any campaigns during the secure stage.
• User access restriction: We remove the compromised users and delete any unauthorized user or manager account invitations.
• Authorized user access restoration: Your legitimate users will keep their original level of access. If the unauthorized user kicked out any of your team members, our system will automatically send them a new invitation to regain their access after the account is secured.
• Account linking: We immediately unlink any unauthorized manager accounts and set spending limits to zero on any new sub-accounts that were created without your permission.

Review your account change log

After your account is secured, Google will generate a detailed account activity change log that lists all modifications made during the security event. You’ll receive this log via email to review the activity and provide your cleanup decision. Only users who held an Admin role before the confirmed compromised date will be eligible to approve change log requests.

The specific level of access the compromised user gained is determined by Google during the investigation process. The administrators authorized to review and approve this change log will also vary depending on where the unauthorized access occurred.

• Sub-account access: If the compromised user only gained access to a specific sub-account, administrators of that specific account can choose the remediation solution.
• Manager Account (MCC) access: If it’s determined that the compromised user gained access at a higher manager account level, only administrators at that specific manager level will be able to approve the remediation request. Email notifications will be sent to both the highest-level manager account administrators and the sub-account administrators to ensure all relevant teams are informed.

Account cleanup decisions

• Clean up this account: Select this option if all listed modifications were malicious. Google’s system will automatically remove and revert all flagged changes.
• Restore this account as is: Select this option if the flagged activity is legitimate. The verified changes will be restored back to your account.
• Additional investigation is needed: Select this option if you approve of some changes but require an additional review for others. This will route your account to the support team for additional review.

To submit an account clean-up decision, you are required to Update your Google account password.

Resolve the security issues in your account

Our priority is to secure your account and restore your ad campaigns as quickly as possible. Your account will follow one of two resolution workflows depending on the type of activity detected:

• User and campaign changes only: This process applies if the unauthorized activity was limited to changes within your existing campaigns or user permissions.
• Account structure modifications: This process applies when the security event involves changes to the structure of the account. Your account will remain suspended until consent is given through the change log by an authorized account admin.

3. Review your account’s data and settings

After your account has been successfully reinstated, take the following critical actions to secure your account, safeguard your data, and prevent any future unauthorized activity.

Protect your account

• Remove malicious software: Perform a comprehensive anti-malware and anti-virus scan to remove any unwanted or malicious software on all computers used to access your Google Ads account.
• Update your Google account password: After your system is completely clean, change your Google Account password. Changing your password while malware is still present poses a risk of the malicious software capturing the new credentials.
• Audit your domain allowlist: Review the domain allowlist settings in your account and make sure they’re configured as intended and aligned with your operational requirements.

Review user access

Compromised accounts may have changes in user access privileges.

• Examine current access: Review the exhaustive list of all users currently maintaining access to your Google Ads account.
• Adjust or re-invite users:
  • Modify the access levels for all existing users as necessary.
  • Re-invite any essential users who were previously removed.
• Enhance user security: We strongly advocate for all individual users to enable 2-Step Verification on their respective Google Accounts.

Manage linked accounts

Review all Manager Account (MCC) links and make sure that only desired connections are active.

• Review all MCC links: Navigate to the MCC linking settings within your account.
• Modify MCC access:
  • Immediately unlink any unauthorized MCCs.
  • Adjust the access levels for all legitimate MCCs to confirm they possess only the strictly necessary permissions.

Review linked payment profiles

Review all the linked Payment Profiles and make sure that only desired connections are active.

• Review all Payment Profile links: In your Google Ads manager account, go to the "Billing" tab and select Payments profile prior to following the below instructions:
  • Unlink unauthorized Payment Profiles:
    • Select the specific payment profile you wish to unlink. Under the field "Linked to manager", select Unlink manager account.
      • You'll receive an alert showing the impacted accounts that will stop running ads due to this unlinking. When you unlink a payments profile from a manager account, billing setups of all Google Ads accounts that are using this linked payments profile are deactivated. A new billing setup is required for these Google Ads accounts to continue serving.
  • Relink authorized Payment Profiles:
    • Request link to Payment Profile: Select the blue plus button, enter the 12-digit payments profile ID you wish to link to and select Send Request.
      • Your linking request is sent to the admins of the manager account with link-management permission for that payment profile. They will review your request and approve or reject it accordingly.
    • Approve link to Payment Profile:
      • Go to the "Sent requests" tab to view the list of your manager account’s pending linking requests.

Audit your campaigns

Unauthorized activity frequently involves the creation or modification of advertising campaigns.

• Review campaigns: Thoroughly review every campaign currently active or stored within your account.
• Delete or pause undesired campaigns: Delete or pause any campaigns that weren’t created by you or you don’t intend to run.

Address account policy suspensions

Policy suspensions are a known side effect of unauthorized activity with unauthorized users creating policy-violating ads, keywords, or website content.

These violations can subsequently lead to Google Ads account suspension under policies like Circumventing Systems or Unacceptable Business Practices. Address these issues with the following actions:

• Review the suspension notice: Thoroughly review the suspension email and the Google Ads policy that was violated.
• Remove all violating content: Immediately remove any ad, campaign, or landing page content that violates Google Ads policies and was created by an unauthorized user.
• Fix all security issues first: Before appealing, make sure you’ve completed all steps in previous sections. These include "Adjust or re-invite users", "Linked accounts", and "Campaign audit" sections to fully secure your account and remove all traces of the compromise.
• Submit an appeal: After all unauthorized content is removed and your account is secure, submit an appeal for the specific non-compromised event policy violation explaining that the violations were caused by unauthorized access and detail the comprehensive steps you’ve taken to secure the account and remove the violating material.

Advertiser verification and certification

Unauthorized activity frequently involves edits to your account that will either undo Advertiser verification or cause our system to think that you require a certain type of certification, such as Healthcare and medicines.

• Review verification details: Review your advertiser verification and make sure the details are correct. Complete Advertiser verification if needed.
• Identify incorrect certification requirements: Identify any certifications that you’re asked to apply for that you weren’t asked to before. These certification requirements may be caused by certain keywords or campaigns created by account hijackers. Certification recommendations on the Advertiser verification page can be dismissed if irrelevant and these recommendations will go away within 30 days if not acted upon.

4. Reinforce your account’s security

To protect your account from future issues, use additional security tools like Passkeys, Multi-party approval and Google Ads Security Agent.

Use a passkey with your Google Ads account

Passkeys are a more secure alternative to passwords. They can’t be copied or stolen, making them more secure against phishing attacks. Passkeys can be used to securely complete sensitive actions with your account. Learn to Use a passkey to complete sensitive actions.

Use Multi-party approval

Multi-party approval is a security feature that protects your account from unauthorized activity by requiring a second account administrator to verify sensitive changes. Learn more About Multi-party approval for Google Ads.

Leverage the Security Agent to reduce security debt

The Security Agent in your Google Ads Account dynamically monitors your account for activity that deviates from historical behavior, flagging anomalies so you can take action and prevent unauthorized access.

We recommend using the Security Agent to automatically manage and reduce security debt through the following features:

• Email domain audits: Checks the email domains on your account to help distinguish legitimate partners from potential risks, even when public email services are used.
• Behavioral monitoring: Flags users performing unusual actions, such as attempting major, uncharacteristic changes to your account structure.
• Login alerts: Detects credential threats by flagging login attempts or activity that deviate from your normal patterns.
• Access level assessments: Evaluates user permissions and may suggest downgrading inactive "Admin" users to "Standard" roles to minimize the impact of a potential compromise.
• Automated continuity: Continuously monitors your accounts and users in the background, eliminating time-consuming manual checks so you can focus on your advertising goals.

Review your recommendations regularly to accept or dismiss flags for specific domains or users. Learn more About the Security Agent for account hygiene.

5. Request reimbursement

If Google’s investigation determines your account was compromised and you were billed for unauthorized charges, you may be eligible for reimbursement.

You must complete account recovery to be eligible for reimbursement. After your Google Ads account is reactivated and 2-step Verification is turned on, you can submit a reimbursement request for charges from unauthorized activity.

Billing investigations can take 10 to 15 business days. If you receive credits for unauthorized charges, they’ll appear as a "Service Adjustment" on your next monthly invoice. Final adjustments generally can’t be confirmed until the end of the billing cycle.

Related links

• Authentication Tools for Secure Sign In
• Secure your Google Ads account: Introduction
• About the Security Agent for account hygiene
• About account activity change logs
• Use a passkey to complete sensitive actions