A Cautionary Tale...

Hi all,

Something happened to one of the accounts that we manage yesterday, that you should probably be aware of.

The account was created by our client, who had only used a 6 character password, and the account was hacked.

Somebody accessed the account, set up a new campaign, and spent £600 of their cash sending people to a free mobile phone download website in America and Canada.

After a few hours, they turned off the campaign and deleted their website (hence covering their tracks quite well).

Google cancelled the account as soon as they noticed it.

We have resolved the problems, got the money back and reactivated the account (it's great having an Adwords rep, isn't it!), but you should probably be aware that your passwords are hackable, particularly if they are short or obvious.

 

Thanks for the heads up CustardMite

 

Thanks. need to change password more often.

 

interesting...

care to share the password that was hacked?

I just wonder how obvious it was

 

Really interesting.But why only a 6 characters password for adwords?All my paswords all at least 10 characters.

 

I had an old account with a 6 character, real word password hacked 2 weeks ago too.

I didn't even know until my rep emailed me and said it happened and they stopped it and credited me the money.

If your password is a real word, these hackers use brute force scripts that literally run through the dictionary applying each word to the login until they have success. I didn't think adwords accounts could have those brute force hacks, but I guess they can. The solution is go with random letters, numbers and symbols and use a passwords manager to remember them. My new passwords are all 10 to 20 characters in length and all random.

 

I change my passwords (all of them) quite often. Thanks for heads up buddy

 

Just a quick follow-up on this. It's happened to a second account (set up by one of our clients, but now being managed by us). It was a seven character password including letters and numbers.

Strongly advise everyone to make their passwords 10 characters plus, and pass this on to their clients, if they have logins to their accounts...

 

Were these two accounts both from the same client?

 

I would think telling Adwords to put a bruce force protection in there login would be beneficial.
Even Vbulletin has it, you get 5 trys then you have to wait 15 minutes.

 

If you try and login to AdWords (any G' service I think) a few times and fail it throws the captcha into the mix.

I wonder if the compromised accounts were both from the same client. If so, maybe a password document got leaked or they were using a similiar (and easy) password combo.

Anyway, strong passwords are a must and things like this are a great reminder.

 

Different clients.

The password on the second one should have been fairly secure - he'd not used it in a year (which should rule out any kind of spyware) and he swore he hadn't e-mailed the password to anyone (which should rule out e-mail fraud).

As you say, Google should be secure, so I don't know how it can have happened, only that it did...

 

Happened to me two years ago (more than $ 3000)
Had no problems with Google, they recognized, closed the compromized account and offered a new one, but I noted then - it's possible to live without Adwords (at least for the moment)

 

Captured by a phishing attack maybe? AdWords is only an email plus password which may have been the same login for many different applications.

Thanks for making us aware and bringing this issue back into our consciousness.

 

Disused login. Nobody had used it in over a year, or given the password to anyone else (via e-mail or anywhere else).

Most perplexing...

 

wow thats a really sucky situation. I use really obscure passwords.

 

I posted about this over the weekend...one of my personal AdWords accounts was hacked on September 18th. I had not changed the password in a long time but it was strong. I was lucky...no charges were incurred but the account is still completely inactive.

Change your passwords!