A Timely Reminder: Adwords Passwords & Security

Over the weekend Gawker Media’s site network including lifehacker, Jezebel, Gawker, Gizmodo and others was hacked, their entire site database packaged up, downloaded, and posted as a Torrent on the The Pirate Bay website.  Included in that site db were over 1.3m commentator usernames, emails and passwords…in plain text.

By far, the vast majority of the email addresses in the db were @gmail.com addresses, closely followed by @yahoo and @hotmail variations.

Wouldn’t you know it, a lot of people, and I mean A LOT of people, use the same password for nearly everything, from commenting on Gawker blogs to their Gmail accounts and beyond.  The instant this hit the web, hackers and curious programmers were writing scripts to try the hacked passwords in combination with the email addresses to gain access to users’ email and Twitter accounts and the like.  Many of them were successful, and gmail accounts were accessed.

This immediately made me think of Google Accounts, and the close tie-in between Google services like Adwords and more benign services like email.  Twitter fell face-first into a massive internal document leak when a hacker used social engineering methods to reset Twitter staff user gmail passwords, locking the staff users out of their own Google Accounts and giving the hacker access to all of Twitter’s internal documents (including strategy and HR documents) that were created using Google Docs.  (PS-If you were Twitter and Google was your competition, would you be using Google Docs?  Question for another time I guess…)

If you haven’t had a chance to read the background of how using Google Docs lead to Twitter’s hack, I highly recommend you read this backgrounder and see if you can spot any familiar points in your organization.

The same thing could happen to your Adwords account, particularly when there are a number of users with Admin-level access.

A friend of mine had his Adwords account compromised this way in 2007, with the hacker running up $160,000 in clicks in two days by bidding on “Pepsi” with a bunk ad, bidding $100 CPC.  Google was able to refund them, but the account had to be shut down completely for security reasons by Google, and he lost over four years of account history and had to start from scratch with a net-new Adwords account.

This whole Gawker fiasco is a good reminder that it’s essential to a) not use the same password over and over again on PPC platforms in particular, and b) rotate your passwords with complex variations that are less likely to be cracked using brute-force attempts.  Using a mix of uppercase and lowercase letters, numbers and symbols all rolled up in the same password is the best way to prevent someone from cracking it using automated brute-force tools.  If you have a hard time remembering complex passwords, consider using 1Password (Mac & Windows) or a similar app to help via autofill.

Because Gmail is tied to nearly every Google Accounts service, the same complex password strategy should apply to your Adwords-connected Gmail or Google Apps accounts, both for yourself and anyone else who has been granted administrative access to your Adwords account.

When you consider the damage that someone could do to your credit card or agency account by running up fraudulent click charges or worse, direct-linking fake ads to sketchy, blacklisted or malware sites, it’s well worth the effort to take the time to update your Google password regimen right away.  The same goes for Facebook Ads, Adcenter or any other key platform that’s linked to your credit card.

Better safe than sorry…