Google Ads Security: Stop Account Hijacking in 2026

Google Ads account security moved up the agenda on June 17, 2026, when Google added a Security Tasks Summary tab to the Access and Security section — a single view of completed versus outstanding security tasks, including passkey creation, domain review, and user review. It is a welcome nudge. It is also only a nudge.

The stakes behind that nudge are concrete. Throughout 2025 and into 2026, advertisers and agencies reported manager-account takeovers that drained ad budgets fast — in one documented case an entire manager account was hijacked overnight, with attackers running up tens of thousands of dollars in fraudulent spend inside 24 hours. Recovery took anywhere from three days to several months. A checklist tab does not change that math on its own; a disciplined audit does.

This guide turns the security checklist into a concrete five-step audit you can run today: two-step verification across every login, passkeys for sensitive actions, least-privilege access levels, manager-account (MCC) hygiene, and alerting plus a recovery plan. It is sourced from Google’s own documentation, Google Ads API security requirements, and independent threat research from Malwarebytes and the trade press.

On or before June 17, 2026, Google added a new Summary tab to the Access and Security section of Google Ads. It sits alongside the existing Users and Managers tabs and shows completed versus outstanding security tasks — reportedly including passkey creation, domain review, and user review. It was first publicly spotted and shared on LinkedIn, then picked up by the trade press.

Two caveats matter before you go looking for it. First, this appears to be a phased rollout — coverage at the time noted that the tab was not yet visible in every account, so do not be alarmed if you cannot find it. Second, a completed checklist is not the same as a secure account. The tab is a prompt to do the work, not evidence the work is done. The same week, Google also rolled out a restyled campaign-status interface, swapping solid status badges for cleaner outline-only ones — a cosmetic refresh worth noting only so you are not surprised by the new look.

To audit well, you have to understand what you are defending against. The dangerous misconception is that a stolen password is the only path in. A significant portion of documented manager-account takeovers never required the attacker to crack a password at all.

The most common pattern is a fake invitation. The victim receives an email that looks like a standard Google Ads access invitation. Clicking “Accept” leads to a convincing fake Google login page on a different URL, where credentials — and sometimes the second-factor code — are harvested in real time. In one widely reported case, an agency owner had an unknown administrative user added to the manager account and then their own MCC linked to many child accounts; that account had two-factor authentication enabled, and the attack still succeeded.

Independent threat research fills in the supply side. In January 2025, Malwarebytes documented at least two criminal groups running sustained Google Ads credential-theft campaigns, with one prolific group keeping malicious ads live around the clock despite continuous reporting. Attackers even exploit Google’s own URL-matching rule: because Google Sites shares a root domain with the ads interface, fake login pages hosted there can pass display-URL matching, making malicious ads hard to distinguish from genuine ones. Once inside, attackers typically add a new administrator from a different address, lock out the legitimate owner, and run fraudulent ads — sometimes to fund further phishing.

That quote is the whole reason this audit exists. The account had 2FA, and it was still taken over. The lesson is not that 2FA is useless — it stops the large class of password-only attacks — but that 2FA is one layer among several, and the controls that close its gaps (passkeys, least-privilege access, MCC enforcement, and active monitoring) are exactly the ones most advertisers skip. The cost of skipping them is asymmetric: setup is minutes, while recovery after a hijack has ranged from three days to several months.

Every security guide tells you to enable 2FA. Few explain which threats each control actually addresses, or whether Google requires it. The matrix below maps the common Google Ads controls against three attack types and the rollout status Google has stated. Read it to match your risk profile to the right combination — not to pick a single “best” control.

The pattern is clear when you read down the columns. Two-factor verification reliably stops password-only attacks but does little against an attacker-in-the-middle who relays your session in real time. Passkeys — which cannot be shared, copied, or relayed — are the single control that addresses all three attack types, which is why Google has positioned them at the front of its sensitive-actions requirement. Access-level discipline and user audits do not stop the initial compromise, but they contain the blast radius and surface an intrusion faster. Defense is the stack, not any one row.

Two-step verification (2SV) is the floor, and Google has been making it mandatory in stages. As of April 21, 2026, the Google Ads API requires 2SV for users completing authentication workflows: without it, users cannot generate new OAuth refresh tokens, and API calls from un-enrolled users fail with a verification error. Existing tokens keep working, but any new integration depends on 2SV being enabled.

Google Ads supports five verification methods: the Google Authenticator app, a Google prompt on a mobile device, a security key, a phone call, or an SMS text. Per Google’s own documentation, the Authenticator app is a more secure way to verify your account than SMS, because SMS codes can be intercepted or redirected. There is also a practical reason to complete 2SV beyond prevention: Google Ads support staff often require it to confirm your identity, so it is a prerequisite for getting help if an attack does happen.

The honest caveat, repeated because it matters: 2FA stops password-only attacks, not session-cookie theft or a fake-invite flow that captures the second factor in real time. Enable it on every login that touches your accounts — then keep going to the controls that cover what 2FA can’t. Security here is a subset of broader account discipline; if you are also tightening performance, our Google Ads audit checklist covers the operational side alongside this security pass.

Passkeys are the control that closes the gap 2FA leaves open. Google has announced that, starting July 15, 2026, a passkey will be required to complete certain sensitive actions in Google Ads — including adding new users, changing billing information, updating account links, and changing user access. Advertisers received email notice of this in early May 2026. As of this post’s date the requirement is announced, not yet enforced, which is exactly why now is the time to set passkeys up rather than scramble in mid-July.

There are two timing details worth planning around. New passkeys take roughly one to two days to pair with Google Ads, and a new passkey may be subject to a seven-day security delay before it can complete certain sensitive actions. In other words, a passkey created the day before you need to add a user may not be usable in time. Set them up well ahead of any planned access changes — and well ahead of the announced July date.

The phrase that matters is “can’t be shared.” A password and a one-time code can both be handed to an attacker — by a fake login page, by a colleague trying to be helpful, by a convincing phone call. A passkey is bound to a device and cannot be relayed the same way, which is what makes it effective against the attacker-in-the-middle and fake-invite flows that defeat 2FA alone. Because passkeys cannot be shared between users, each person with access creates their own — plan that into your rollout for teams and agencies.

Least privilege is the cheapest control you have, and the most commonly ignored. Google Ads defines five access levels for manager accounts, each with a deliberately narrow remit. Match the person to the level — a reporting contractor does not need Admin, and a billing clerk does not need operational control of campaigns.

For agencies and multi-account advertisers, the manager account (MCC) is both the greatest convenience and the greatest exposure. One compromised sub-account or freelancer login can cascade across the entire client portfolio — the attack surface scales with the size of the tree. The Craig Skalko case is the cautionary tale: the attacker linked their own MCC to many child accounts at once, turning a single foothold into portfolio-wide control.

The highest-leverage move is to enforce, not just request, 2-step verification across the tree. Manager-account administrators can enforce 2SV on the child accounts they control — protecting the whole client portfolio from a single setting rather than hoping each individual login is hardened. Pair that with a recurring user-access audit: review every user on every account on a schedule, remove dormant logins, and delete access for departed staff and finished engagements. Google’s own Community Team urged exactly this in November 2025 — delete dormant accounts, audit everyone with access, enable 2FA, and watch for logins from unrecognized devices.

Whether to centralize all of this under one MCC or split exposure across separate structures is partly an in-house-versus-agency decision. If you are weighing how much of your paid media strategy to keep in-house versus delegate, account-security ownership belongs in that calculus — the party that holds the MCC holds the risk.

The first four steps reduce the chance of a compromise; the fifth reduces the damage when one slips through. Hijacks in the documented cases moved fast — tens of thousands in fraudulent spend inside 24 hours — so detection speed is the difference between a contained incident and a drained budget. Watch for the early signals attackers leave: an unfamiliar administrative user appearing on the account, a Google login alert showing a sign-in from an unexpected location, or an unexpected change to billing or account links.

Build the recovery plan before you need it. Make sure at least one owner has completed 2SV, since support often requires it to verify identity during recovery. Keep a record of your account IDs and the legitimate administrators so you can prove ownership quickly. And set expectations honestly: even with dedicated support, billing cleanup, suspensions, and refunds of fraudulent spend have taken anywhere from three days to several months in reported cases. The audit is cheap; the recovery is not.

Account security is not a one-time setting; it is an operating habit. Hijacking disrupts the top of the funnel and corrupts the numbers you rely on to plan — the same way ad fraud erodes the benchmarks behind your demand generation pipeline. Treating the five steps above as a recurring audit, not a one-off, is how you keep both your spend and your data trustworthy. If you would rather have a team own this, our paid media management engagements bake account-security hygiene into the standard operating rhythm.