A Hacker Spent $14,684 of an Ad Budget Overnight
A business we work with had their ad account hijacked. Not by someone guessing a password, and not by brute force. The attacker copied a trusted browser session and walked straight in, past the password and past two-factor authentication.
Here is what happened once they were inside:
- They duplicated one of the account’s real, live campaigns, so at a glance nothing looked wrong.
- They swapped the real ads for fake ones promoting an unrelated product.
- They raised the daily budget from about $93 to roughly $500,000.
- They let it run. It spent $14,684 before it was stopped.
Two details make this one worth learning from.
First, no one sat there clicking. Every single change in the account happened in the same second. No human moves that fast, so the hacker almost certainly turned an automated script loose on the account. That is how these break-ins run at scale: a script hits thousands of accounts, and any one with a weak door gets walked through in minutes.
Second, there was no warning. The account owner got zero alert emails. The most likely explanation is that the attacker deleted them to buy time. The platform does not alert you when a budget suddenly jumps, so nothing flagged it on the account side. It was caught by the platform’s own automated system and by our team watching the account, and it has been escalated for review.
It Is Not Just a Facebook Problem
We know of another business that ran into a version of this on the Google side. Someone got into an account with admin access, added themselves, pushed the other users out, and started raising the budgets.
That one ended better. It was caught quickly, the attacker was locked out, the changes were reversed, and it was reported to Google before any real money was lost.
The reason it ended better is worth sitting with. That account had a backup layer of access the attacker did not control, so regaining control and shutting them out took minutes instead of days. Nobody is too small or too careful to be a target, and the businesses that come through these attacks intact are usually the ones that planned for the bad day before it arrived.
How They Get In Without Your Password
The method behind the first story is called session cookie hijacking, and it is worth understanding because it defeats the two protections most people rely on.
When you log in somewhere and check “trust this device,” your browser stores a small file, a cookie, that tells the site “this machine is already approved.” It is what keeps you from re-entering your password every time you open a tab.
If someone copies that cookie, they can load your logged-in session on their own computer. No password. No two-factor code. As far as the site is concerned, they are you, on a device you already approved.
That cookie usually gets stolen one of two ways: you open a compromised file or attachment that quietly copies your browser data, or you log into a shady third-party app “with Facebook” or “with Google” and it leaks your credentials. Old sessions that were never logged out make it worse. It is common to find accounts with active logins going back years, some to 2017. Every one of those is a door still standing open.
This is the lesson most people miss: two-factor authentication did not save that account, because the attacker never needed to log in. They rode in on a session the browser already trusted. People treat two-factor as the finish line. It is not.
Security Is Not One Setting. It Is a Set of Doors.
The mistake is thinking of account security as a single switch you flip once. It is closer to a house with several doors. A strong password locks one. Two-factor locks another. But if the side door, the garage, and an upstairs window are all still open, the front-door lock does not matter much.
Most accounts have three or four of those doors open right now, and nobody has checked them in years. The good news: closing them takes about ten minutes. Here is the full list.
Not Sure Where to Begin?
If you are looking at this list and not sure where your account stands, that is exactly what an Opportunity Review is for. We look at where you are across accounts, access, and security, and tell you specifically what is worth addressing and what can wait.
No obligation. Just a clear picture of where you stand.
👉 Request an Opportunity ReviewThe Biggest Door of All: Who Actually Owns the Account
Here is the one almost nobody thinks about, and it is the most important. Who is the primary owner of your ad accounts, your Business Manager, and your Google Business Profile? If the honest answer is “my agency set all of that up,” you have a gap, even if nothing has gone wrong yet.
When an agency creates your accounts under their own umbrella, they hold owner-level access, the highest level there is, on the assets your business runs on. And you have no window into their security. You cannot see whether their team uses passkeys, whether they clear out old sessions, or whether someone who left last year still has a way in. If that agency gets compromised, the attacker inherits owner rights to your accounts, and there is nothing you can do about it from your side.
This is why we insist that every client create and own their own accounts from day one. You are the primary owner. You add your agency and your partners as users, with the access they need and nothing more, and you can remove them at any time. It is the difference between handing someone a key you can take back and signing over the deed to your house.
If an agency ever resists putting ownership in your name, treat that as the answer to a question you did not know to ask.
When a Relationship Ends, the Access Should End With It
The flip side of owning your accounts is keeping the guest list short. Access does not expire on its own. When a freelancer moves on, an app goes unused, or an agency relationship ends, that access stays live until someone removes it.
We see this constantly from the other side. When we stop working with a client, we ask, sometimes more than once, to have our access removed. Often it never happens. And on some platforms, a user cannot remove their own access at all; only the account owner can do it. So the old connection just sits there, open.
That is a risk for everyone involved. Every account you are still connected to is a possible path into yours, and yours is a possible path into theirs. If a former vendor’s account gets breached, the attacker can try that leftover access as a backdoor into yours. Keeping your user list tight is not housekeeping. It is closing doors you forgot were open.
Your Ad Account Security Checklist
- Make sure you are the primary owner of your own accounts. Your ad accounts, Business Manager, and Google Business Profile should be owned by you, not your agency. Add partners as users you can remove; never let an outside company hold owner-level access to the assets your business runs on.
- Use a strong, unique password. Not one you reuse on any other site.
- Turn on two-factor authentication, and use a passkey if you can. A passkey needs your physical device, so a stolen session or password alone is not enough to get in.
- Log out of all active sessions you do not recognize. Do this now, and again every few months. This is the exact door the $14,684 attack came through.
- Review the third-party apps connected to your Facebook or Google login. Remove any you do not actively use.
- Check who has access to your Business Manager and ad accounts. Remove anyone who should not be there, including agencies, freelancers, and apps from relationships that have ended. That access does not remove itself.
- Check the “Requests” tab in Business Settings for invitations you never approved.
- Set up an alert for sudden budget or spend changes, so unusual activity is caught in minutes, not days.
- Be careful with downloads and email attachments. A single compromised file can quietly copy your browser session.
- Check whether your email has been in a known data breach at haveibeenpwned.com.
- Keep work devices clean. If you suspect a machine is compromised, wipe and reset it rather than hoping.
Run all eleven today. The first pass takes about ten minutes. Then put a reminder on your calendar to run the session logout and access review every few months, because access drifts: people leave, apps get connected, sessions pile up.
One More Set of Eyes
Keeping this tight across multiple ad accounts, multiple platforms, and multiple people with access is a real job, and it is easy for a door to drift open without anyone noticing. If you want a second set of eyes on how your accounts are set up and where you might be exposed, that is part of what we look at when we dig into an account. See what we’d flag in your setup →
Want More Insights Like This?
We break down what’s actually working for Amazon sellers, Google Ads, and paid media every week, with no fluff and no filler. Sign up for the newsletter and get practical insights like this delivered straight to your inbox.
👉 Sign Up for the Newsletter