On the night of January 5, 2026, a wave of cyber‑attacks swept across the digital marketing world, targeting Google Ads Manager Accounts (MCCs). While the exact number of agencies hit remains unclear, estimates suggest that hundreds—perhaps even thousands—of agencies fell victim to the breach, putting tens of thousands of individual advertiser accounts at risk.
For many of us, the shock of seeing our own MCC compromised was followed by a frantic scramble to understand what had happened, how it could be stopped, and what we could do to protect ourselves and our clients. Below is a step‑by‑step guide that distills the experience of one agency that was hacked, the tactics the attackers used, and the concrete actions you should take right now.
What Happened to the MCC?
At midnight on January 5, the attackers gained control of our Google Ads Manager Account. They did not simply log in; they took over the entire hierarchy. Within hours, they had:
- Removed every existing user from the MCC.
- Changed the allowed domain to
gmail.comand granted access to more than a dozen new accounts. - Created a brand‑new MCC in our company’s name and sent invitation emails to most of our clients—none of whom accepted.
- Deleted users from several client accounts and altered payment methods on others.
- Launched new campaigns on a handful of accounts and attempted to charge two accounts with more than $500,000 in credit card fees, even though no ads were running.
These actions caused immediate financial risk, potential data loss, and a severe blow to client trust. The attackers’ goal was clear: seize control, generate revenue, and leave a trail of chaos.
Leave a Comment