Reality Check – My Adwords Account Hacked!
April 23rd, 2009 | 55 comments-edit- WOW, talk about good support! I contacted a Google rep approximately 12 PM to report the fraud and by 3 PM it was resolved! Kudos to the Google Adwords team, specifically Katie W.
Just a quick reality check for you. Today I log into my Google Adwords account and find a campaign in there that I didn’t create.
That campaign had generated $1,600.00 worth of clicks to some spam site that were charged to my credit card!
Some loser got my password somehow and although it’s being investigated and that individual is going to sit in prison for a few years, I have to blame myself! It had been at least a year since I had changed that password!
So hopefully this is a good reality check for you! I’ve never given anyone access to this account, so it’s hard telling how they got it. My password should have been stronger (more characters and with letters, numbers and symbols) and I should have changed it at least a few times in the past year.
Go change your passwords for important online accounts RIGHT NOW if you haven’t for a while!
Do it regularly, use strong passwords and don’t use the same password for multiple accounts!
Hopefully my ignorance will help prevent the same thing from happening to others!
via Reader
via Email
what is RSS?
Facebook
Twitter
Linkedin
Google+
YouTube
23rd April, 2009 at 4:00 pm
Yikes Josh,
That is awful. Will your credit card company erase the charge? Did you find out the person’s name via whois information? Please update us on the steps you take to rectify this. This is a good reminder which we probably are all guilty of.
Debbie
23rd April, 2009 at 4:03 pm
That’s awful
I have just been thinking about changing all my passwords and this has given me a good reason to act on that thought.
23rd April, 2009 at 4:03 pm
wow!
I would want to give someone a serious beat down for that. I’m sure your CC company will erase the charges though as this is an obvious fraud.
Sorry this happened to you.
Jeremy
23rd April, 2009 at 4:06 pm
That sucks! I always wonder how people are able to get passwords. The sad part is noting will probably happen other then a slap on the wrist. Thats if they ever catch them!
23rd April, 2009 at 4:10 pm
Dude, that sucks, but being online and actively participating on so many sites and services that require a login, it really is a matter of time before someone gets victimized. This happens all the time, but it is definitely easier when people are careless and use dumb passwords like “password” or “111111″ or whatever default password you’re given when you sign up somewhere.
Hope you get it straightened out, $1600 is not gonna be easy to take if you have to front the bill after all. Hey let’s see how good Google really is, and see if they can catch who did it
My guess is they will.
23rd April, 2009 at 4:12 pm
@ Deb – I doubt they’ll reverse it since I do business with them regularly. Google is taking care of it though… I’m not too worried about that.
They used a name, address and phone # out of the phone book…. I called and spoke with the woman who was VERY surprised.
@ Forest – Yep, go do it now buddy.
@ $20 – Please read my comment policy
It does suck… more for the idiot who did it though. It definitely won’t be a slap on the wrist! Google will give my money back, then the idiot who did it will have to pay it back, plus whatever Google decides to ask for in court. I’d hate to get sued by Google lol
23rd April, 2009 at 4:14 pm
Hey Josh,
That sucks…hopefully it leads to a successful prosecution…
Have you checked that you don’t have any keylogger or screenshot saver/copier adaware on your system?
Do you use Roboform (no aff link) to protect your passwords…..excellent program….check it out.
Regards
Greg
23rd April, 2009 at 4:16 pm
That sucks! Looks like there’s a lot of info out there on how to hack gmail accounts. May be a good idea to not use your gmail account as your Google account associated with adwords. http://www.youtube.com/results?search_type=&search_query=gmail+password+hack&aq=f
23rd April, 2009 at 4:18 pm
That’s horrible Josh. I hope you get your money back soon.
Password management can be a pain and although it’s a big mistake, it’s very tempting to use the same password for different accounts. The last few months I’ve been using RoboForm, which makes life a lot easier in this department.
23rd April, 2009 at 4:19 pm
Thanks Josh! Just changed mine to a 14 character password with numbers and symbols, that should (hopefully) help stop them.
23rd April, 2009 at 4:19 pm
sorry about the comment thing, never noticed it! I guess you are right though i would hate to have Google coming after me. The old “who ever has the most money wins” comes into play on that one!
23rd April, 2009 at 4:23 pm
Sorry about your headache!
Thanks for the reminder to update passwords – and the note to use different passwords on different accounts. Don’t use the same password for all accounts – a thief that gets that one password can cause all kinds of problems in multiple accounts.
Steve
23rd April, 2009 at 4:25 pm
I’m sorry my first comment on your blog is on this subject, even though I’ve been a reader for awhile.
Hopefully Google will be swift with taking care of this. I recently started using stronger passwords myself. They are harder to remember though!
Sara
23rd April, 2009 at 4:28 pm
Keeping up with all the passwords is a nightmare even with robotform!
One advice is to regularly check all your important accounts.
Hey Josh when did you last check your Paypal account?
Ugh!
Alex
23rd April, 2009 at 4:28 pm
Well, that really sucks. Something very similar happened to my eBay account last year. eBay took care of the whole thing for me. I bet G does the same for you.
The problem with changing passwords is that there are so many everywhere. What we need is for more providers like Google to go to OpenID so that passwords are easier for people to manage.
What I do is create a base password each year — an example would be Mas459. Then I create a suffix for each each account — like GAdW. So my password for Adwords would be Mas459GAdW.
When I change passwords, I only change the Mas459 part for all accounts.
This helps keep me sane.
23rd April, 2009 at 4:31 pm
Hey Josh, man that kind of stuff is a nightmare.
Long ago I decided to never have my passwords on any computer that has access to the web.
I keep an old 486 machine running that has NEVER been networked or been on the web, so that is where I keep my database of a couple of hundred passwords.
It’s a little rough when I’m mobile, but I’ll live with it for the safety.
Still I agree that passwords should be changed often.
Guess I’ll do that now.
all the best.
Rich Hill
23rd April, 2009 at 4:33 pm
The same thing happened to me last November, one day I found I couldn’t get into my adwords account and so contacted Google.
They re-enabled it for me and I soon found someone had set up a campaign bidding high on a keyword like “airfares” or something I burned through $3,000 in one day.
Google did reimburse me though, although it took them a month to pay up, but it was a hard lesson to learn all the same.
23rd April, 2009 at 4:37 pm
Hi Josh,
That must be painful! I think you recomendations make sence I been working on IT for years and nowadays more and more in Marketing.
What I do? Well I only recomend one product I’d been using for the last two years where I can create strong passwords and store then encrypted.
I have included a link to my website where I offer this information and free trials.
betterpcnow.com/security/privacy
The best part is they have a very good reputation and I agree with that.
You can also use the google adwords
editor to download and check your campaigns, downloading all will show you the changes in different color.
Hope this help!
23rd April, 2009 at 4:50 pm
Hi,
You are not the only one, friend. Someone did a $23000 charge to my Adwords account over 3 days. But thank God it was resolved.
23rd April, 2009 at 4:50 pm
Was it actually hacked, or might you have given it in some way by including it within a script uploaded somewhere, or a Tell-a-Friend on someone else’s site?
23rd April, 2009 at 4:56 pm
@ Greg – Well I run Norton Internet Security and nothing has come up. As far as I know it’s clean, but you’re right, I need to look into that! Re: RoboForm, yes I do.
@ Alex – I make most of my income via PayPal so that is monitored several times a day… changed that password along with everything else today though.
@ Mark – Really good idea, never thought of that!
@ David & Davion – Great to hear they took care of you! I’m confident they’ll take care of my as well.
@ Andy – Well “hacked” was probably the wrong word. But I don’t believe it was phished either. That may be possibly with my Twitter account… have entered those details, but never adwords and they had different passwords.
23rd April, 2009 at 4:56 pm
Oh man, that’s scary. It’s a daunting task to go through my accounts and change them, but the alternative is definitely not the way I want to go. So adding to my to-do list now.
23rd April, 2009 at 4:58 pm
You likely were a victim of a CSRF (read sea-surf) attack. Windows Secrets newsletter has an article on this security hole in their latest issue that arrived today. This is a known hole in GMail, and I presume the rest of the Google apps since they all use the same login. Google doesn’t plan to fix it as they don’t consider it a big enough threat.
Using a strong password, as you recommended, is a big step toward mitigating this threat. If you use GMail, only use it with the “always use SSL” option on (see Settings). Even better, but less convenient, is to use POP3 access to GMail instead of the web interface.
If you care about the technical details, go to WindowsSecrets.com and view the article there.
23rd April, 2009 at 5:03 pm
What possible advantage could someone hope to gain from doing this? If they are trying to make sales on a web site, they will get caught. What’s the point?
23rd April, 2009 at 5:04 pm
Don’t forget that your Gmail might be a key into your other accounts.
Domains
Affiliate accounts
Hosting
Social Media
etc
It is why I was so negative on the tell-a-friend scripts that scrape gmail and other sites.
23rd April, 2009 at 5:06 pm
@ John – Thanks, I’ll look into it.
@ Charlie – I guess the same reason someone would murder a person. Just betting on the small chance that they won’t get caught.
@ Andy – True, I’ve already changed PW’s for all important accounts. Seriously considering using a self-hosted email from now on.
23rd April, 2009 at 5:24 pm
@ Josh-Thanks for the reminder .
One day I’ll die just with the sheer weight of all the passwords that I carry in my head.
Like someone mentioned, our gmail account should be secured.
In gmail, there is an option within the settings tab to use https://mail.google.com instead of the plain http. Its just one additional security layer which we all should take advantage of.
23rd April, 2009 at 5:39 pm
Josh, thanks for the advice, and thanks to all the other commenters too. By self-hosted email, do you mean through your website host?
23rd April, 2009 at 5:45 pm
I am really sorry about the hack. I know you’ll resolve everything. It kills me that people are willing to risk prison for a few bucks. I’d rather be homeless than behind bars.
I have a couple hundred log-ins and the only way I can keep them all straight is with my Roboform, where I can encrypt everything. I never let my browser keep that info. So many hackers attack browsers. I set my firefox to clear all cookies every time I close it. I even run a security scan every morning.
Yeah, maybe I’m a little paranoid, lol!
23rd April, 2009 at 6:24 pm
how does changing passwords help anything unless you use same password for everything?
The only way they could get password is either you were hacked… or if you somehow unintentionally gave it to them (phishing pages designed to look like yahoo or gmail or myspace… in which case they request email address and new password or say “forgot password” in which case they will get your email and request passwords for everything they can using your email…)
Sure if you don’t check sites for phishing (i think there’s a firefox plugin that helps) changing password is good idea…
But is there a reason to change passwords other than this? Isn’t a hacker who figures your password out still going to be able to do it?
If he has spyware installed on your computer or whatever he can figure out when you change your password and what you changed it to I think…
23rd April, 2009 at 7:08 pm
Josh,
Sorry to hear you got hacked. You are not alone. Identity theft, of which, transaction fraud is a subset, is the fastest growing crime in America. The Federal Trade Commission (FTC) now spends almost all of their time dealing with it.
Often times, here is what happens. The bad guys get some software onto your computer that you are totally unaware of.
Could be part of a download or an inbound email or while you were visiting a web site. Doesn’t matter. The software then sends them back every single keystroke you make, including you new longer and stronger passwords. They then hack your accounts. It gets worse. The bad guys now have teams of programmers who have largely automated the process so now they do it on a grand scale. The next step in the process is that the bad guys sell your “details” on an open criminal market overseas. So, the bad guys steal your information and then they sell it to other bad guys overseas. The final step in the process is that each and very one of the bad guys who purchased your details then runs a scam or two using your information (creates fake accounts, buys things, the usual).
The final final step in the process is that you get to clean up the mess, and that can take a year or more to do.
The good news is that the Secret Service is now working these kinds of cases so perhaps they will not happen as often.
The bad news is that the trend is not slowing at all. The bad guys are winning.
Credit card companies take the losses as a cost of doing business and raise fees to cover it. The bad guys almost never get caught, not even close. We “victims” on the other hand are left to clean up a mess that steals hundreds of hours of you time (i.e. life) to fix. You have to convince the credit card company that you did not do it by filing police reports and submitting notarized affidavits and the list goes on. You lose massive work time and family time. You also get to worry about it the whole time. You worry about what happens if the credit card company decides you are not innocent. What happens if they decide to make you pay for the fake charges. Now you have a real mess that will cost you dearly to resolve.
I have been “hacked” three times in the last eight years. First I installed anti malware software and beefed up my passwords. After the second time, I switched to a mac for all credit card transactions. After the last time, if finally got smart.
I got smart in that I no longer use regular credit cards of any kind for Internet purchases. Instead, I use pre-paid credit cards. I keep a low balance and put on more money only when I need it.
It’s more work but I’ve never lost any money. And if I do, I lose only what I put on the card. I usually keep $100 on it. I’d rather lose $100 than have the credit card company tell me that someone rackup $8,000 worth of charges in my name and that I now get to spend hundreds of hours fixing a huge mess. I’d rather spend the time working or with my kids.
Oh and this does not even include all the massive data breaches that happen all the time. Your bank loses a laptop that contains all your account and personal information. All the password protection in the world won’t save you from that one.
Sorry for the rant. Here is the short story on how to protect yourself, my take anyway:
1) Only use a pre-paid credit card to buy things on the Internet and keep the balance low.
2) Never sign up for and or use online banking or bill pay of any kind. Also, bank with a small bank where they know you and don’t outsource calls.
3) Pull your credit reports every year to make sure you are not already a victim and or deal with this quickly. I have a service that sends me an email instantly any time there is any activity on my credit bureau accounts and a monthly review and summary.
4) Never have or use debit cards. Cancel them and switch to straight ATM cards.
You can get more info here:
http://www.idtheft.gov/
Thanks.
Mitsu
23rd April, 2009 at 7:30 pm
The same thing happened to me, $1500 of ads from my cc. You probably have a trojan or a virus on your pc, time to format or unleash all the virus scanners and malware scanners you can get a hand on on your pc…
23rd April, 2009 at 7:43 pm
WOW, talk about good support! I contacted a Google rep approximately 12 PM to report the fraud and by 3 PM it was resolved! Kudos to the Google Adwords team, specifically Katie W.
23rd April, 2009 at 9:10 pm
Just when you thought you could sit back, all fat and sassy, and just make money…
Life rarely stays boring, does it??
23rd April, 2009 at 10:17 pm
Wow! Talk about good support…although you probably didn’t really want to have to go through that to find out Google had good support.
A similar thing happened to my ebay account a few years ago…it got resolved quickly. But I’ve been using unique passwords ever since!
23rd April, 2009 at 10:48 pm
Ow I see, great thing there is something like this…
that’s right, if you don’t check sites for phishing (i think there’s a firefox plugin that helps) changing password is good idea…
Julius
23rd April, 2009 at 11:07 pm
Timely reminder for everyone to change those passwords regularly and quit using the “cute” ones we are all guilty of and start using the strong but boring ones with upper case, lower case and numerals.
Thanks for the heads up Josh, hope all works out well.
23rd April, 2009 at 11:10 pm
It’s reassuring to hear that Google handles these cases with integrity. That gives me even more reason to like them.
I know it’s in their best interests to handle these situations in a reliable manner, but not everyone does.
My passwords are long overdue for a change, too.
So glad it was sorted out for you.
24th April, 2009 at 12:04 am
Definitely a great warning and good advice to change passwords. I’m a Roboform addict – I let it auto-generate passwords, using a different one for each site, then back up the Roboform database to my thumb drive as often as possible.
I follow two other safe computing rules:
1) Never type a password on someone else’s computer, or especially a public or library computer. You have no control over the security of those enivornments.
2) Never enter a password through unencrypted wi-fi connections. I don’t like the idea of broadcasting my passwords to anyone in a few hundred foot range. If I’m using a public wi-fi port (restaurant, airport, conference) I use find-not (an encrypted proxy service) to encrypt all my web traffic.
Thanks again for the heads up.
- Tony
24th April, 2009 at 12:52 am
Thank you Josh for the heads up. I changed my password for google. I’ll change the others tomorrow.That is scary to say the least.
Thanks again
24th April, 2009 at 2:08 am
That’s terrible Josh!
But I’m glad you got it resolved with Google.
I always wonder what might be lurking in my computer, especially when it starts clunking away while I’m doing simple tasks.
Hope you get it all straightened out and they nail the culprit.
Mike
24th April, 2009 at 12:11 pm
Thanks for the timely warning, Josh. We all need to be more careful when it comes to our passwords. Glad Google sorted it out for you.
24th April, 2009 at 1:29 pm
OMG!
That’s really “crap!”
The thing is as online marketers, one tends to have numerous passwords to so many applications that in teh one may opt to using similar if not the same one for eveything. It saves time but can be a killer if anyone ever gets their hands on that password.
I hope you’ll be able to earn back that money some time soon. Cant this issue investigated further i.e. the owner of the destination url of the clicks?
I’ll continue to stick to the free methods for traffic generation for now and look to review my password make up.
24th April, 2009 at 1:57 pm
I’ve never heard of that happening. I’m glad to hear that Google took care of it so fast.
I started creating passwords so complex for each site that I couldn’t possibly remember them. I like to use a lot of lower case Ls and the number 1. It makes it difficult for someone to determine what it is even if they see it.
There is a free program from download.com called memo keys. You can use it to record different keystrokes (the passwords) and then recall them with a much simpler set of key strokes.
For instance, if I hit F1 and E, then memo keys will output my eBay password. If I hit F1 and C, then memo keys outputs my Clickbank password. Etc.
As far as the few guys that mentioned disputing a charge with your credit card company against Google. Luckily, Josh didn’t have to do that because Google took care of the charges. I’ve heard of Google canceling and banning accounts for credit card disputes.
24th April, 2009 at 2:47 pm
That sucks.. I am glad adwords support was quick for you and identified the fraud quickly.
Reminds of changing my password too. I loved apple’s keychain for storing my password. I am stuck with a windows laptop for a couple of months and have to keep my passwords deliberately easy
24th April, 2009 at 4:51 pm
This should be a wake up call to everybody. I’m so glad I have RoboForm already! I actually love the RoboForm software myself. I use it all of the time and it takes all of the menial everyday tasks that I have to perform on my computer daily and shortens them extremely! What once took me fifteen minutes to complete now takes me only one second because RoboForm does the same task with just one click. In fact I wrote a Report about a lot of RoboForm’s capabilities for use that aren’t even touched on in the User’s Manual for RoboForm. You can get that Report here:
http://www.theroboformreport.com/indexb.html
There is also a FREE version of RoboForm that you can download on this web page, just to test the RoboForm software out for yourself! I highly recommend it!
24th April, 2009 at 6:19 pm
There is no use in changing passwords if there are trojans or other malware on your pc….
24th April, 2009 at 11:31 pm
[...] off is Josh Spaulding, who talks about a $1,600 credit card bill that came about as a result of a weak pass… (and thanks, Josh, for taking responsibility. While I’m sorry it happened to somebody like [...]
25th April, 2009 at 9:39 pm
Sorry to hear about your problems Josh. Anybody using Firefox might like to check out the free plug-in from LastPass.com which provides a lot of password security. I’ve been using it for some weeks now and have come to rely upon it.
26th April, 2009 at 12:17 pm
We do not hear very often of people we know that get hacked. I feel like I know you Josh because I have followed your blog for quite a while. Which is an interesting thought. That would make you a celebrity because one of your fans feels like they know you even though you have not a clue who I am….
Rick
28th April, 2009 at 11:37 pm
guess I’d better start using that Robo form pw generating tool. I’m not all THAT attached to my favorite password !
28th April, 2009 at 11:38 pm
Wow, that is certainly a horrible situation. Good to have a wake up call like that sometimes. I hope that never happens to one of my accounts!
29th April, 2009 at 7:31 am
oh my goodness, that’s awful, I hope u can get things sorted out asap.
thank god, google adwords team looks quite helpful in this situation.
what a story.
4th June, 2009 at 12:45 pm
Hello, that sounds awefull.
Try keep a close track on analytics where the clicks came from.
That way i discovered a lot of click fraud in my campaign
Anders
Good luck
25th July, 2009 at 1:26 pm
Mark’s idea of a base password for each year really makes a lot of sense.