Google Ads Hack Audit: Simple Checklist
Goal
Find:
-
Who created the malicious campaign
-
How that account got permission
-
Whether that account was compromised
-
Whether Google Ads API or a third-party tool was involved
1. Find who created the campaign
Go to:
Google Ads → Campaigns → Change history
Set the date range to when the malicious campaign appeared.
Look for:
-
Campaign created
-
Ad created
-
Ad group created
-
Budget changed
-
Final URL changed
-
Tracking template changed
-
User email
-
Tool used, such as:
-
Google Ads UI
-
Google Ads API
-
Google Ads Editor
-
Third-party platform
-
Save evidence:
-
Screenshot
-
Export if possible
-
Campaign name/ID
-
Ad group/ad ID
-
User email
-
Date/time
-
Tool used
-
Budget/payment changes
-
Final URL / tracking template
2. If the tool says Google Ads API
This may mean the campaign was created by:
-
A third-party app
-
An agency tool
-
A script
-
An API integration
-
A compromised app/token
Ask whoever manages Google Ads API access to run this query.
1SELECT
2
3 change_event.change_date_time,
4
5 change_event.user_email,
6
7 change_event.client_type,
8
9 change_event.change_resource_type,
10
11 change_event.resource_change_operation,
12
13 change_event.change_resource_name,
14
15 change_event.changed_fields
16
17FROM change_event
18
19WHERE change_event.change_date_time >= 'YYYY-MM-DD'
20
21 AND change_event.change_date_time <= 'YYYY-MM-DD'
22
23ORDER BY change_event.change_date_time DESC
24
25LIMIT 10000Replace:
1YYYY-MM-DDWith the date range around when the malicious campaign appeared.
Look for:
-
change_event.user_email -
change_event.client_type -
Campaign creation
-
Ad creation
-
Budget changes
-
Final URL changes
-
Tracking template changes
Important note:
Google Ads API Change Event data is only available for a short lookback window, usually 30 days. Run this as soon as possible.
3. Check who has Google Ads access
Go to:
Google Ads → Admin → Access and security
Check these tabs:
Users
Look for unknown users or suspicious roles:
-
Admin
-
Standard
-
Billing access
Managers
Look for unknown manager/MCC accounts.
Pending invitations
Cancel anything suspicious.
Multi-party approval
Check whether someone requested or approved access changes.
Look for:
-
Who requested access
-
Who approved access
-
When the approval happened
-
Which account was granted access
4. Trace the suspicious user in Google Admin
Go to:
Google Admin Console → Reporting → Audit and investigation
Search for the suspicious email.
Check these logs:
Admin log events
Look for:
-
User created
-
Password reset
-
Admin role granted
-
Group membership added
-
Security settings changed
-
2-step verification disabled
-
App access changed
-
Domain-wide delegation changed
Login log events
Look for:
-
Suspicious login
-
New country/IP
-
Failed login attempts
-
Password change
-
2FA changes
-
Login from a new device
OAuth log events
Look for:
-
Unknown third-party apps
-
Google Ads tools
-
API access
-
Recently authorized apps
-
Suspicious OAuth client IDs
5. Important distinction
Google Ads permission is usually granted inside Google Ads, not Google Admin.
So use:
Google Ads to find who gave Ads access.
Use:
Google Admin to find whether that Google account was hacked, created, elevated, or connected to a malicious app.
6. Contain the damage
Do this immediately:
-
Pause the malicious campaign
-
Screenshot/export evidence first
-
Remove unknown Google Ads users
-
Remove unknown manager accounts
-
Cancel suspicious invitations
-
Check billing/payment changes
-
Reset passwords for suspicious users
-
Enforce 2FA/passkeys
-
Revoke suspicious OAuth apps
-
Block unknown third-party apps
-
Rotate API credentials if API abuse is suspected
-
Contact Google Ads support about unauthorized activity/charges
"""