On 5th June 2026, at 5:38 in the morning, an email arrived that we had been waiting 70 days to receive.
“Great news! We have successfully accessed your website and verified the meta tag you added. As the verification is now complete, we have granted Admin access to the email address [email protected] for Google Ads account 109-812-1333.“
We read it three times before it felt real.
We were back.
We are writing this because when we were in the middle of it, locked out, frustrated, going in circles with Google support for weeks on end, we searched everywhere for someone who had been through this and come out the other side. We found almost nothing. So this is that article. The one we wish had existed when we needed it.
A Quick Recap: How It Happened
If you have not read our first piece, you can read the full story of how our Google Ads MCC was hijacked here. This article picks up from where that one ends.
The First Week: Fast Responses, No Action
We contacted Google immediately. Within hours, we had our first case open and our first response. A Google support agent confirmed that Google’s specialists had investigated and found the account was compromised on 27th March. We were told the account had been reactivated. Users had been restricted. Fraudulent campaigns deleted. Costs unlinked.
On paper, it sounded like things were moving.
In reality, we still had absolutely no access to our account. It had been “reactivated” by Google, but we could not log in, we could not see our clients, we could not verify anything. We were locked out just as completely as before.
We replied the same evening asking for clarification. Our clients were receiving notifications about their accounts being linked to a new MCC. Was this Google’s recovery team or the attacker again? It took another exchange to confirm it was Google’s doing. That was the tone of those first days, every step forward raised a new question, and every question took time to answer.
By the end of that first week, we had raised five separate tickets with five different agents. Not because we wanted to. Because every new form, every new channel, every new entry point we tried opened a new case with someone who had no knowledge of the previous ones. We had the Google Ads managers, each responding to a piece of the story, none of them seeing the whole picture.
And every one of them said some version of: we will get back to you within 7 days.
The Loop Nobody Tells You About
The second and third weeks were where the real frustration began, and we want to explain it carefully because we think it is the most important part of this story for any agency going through the same thing.
Google’s process for restoring access to a compromised account requires you to prove you own the domain associated with the account. This is reasonable. The problem, in our case, was that we could not see which domains were associated with the account because we did not have access to the account.
We explained this. Multiple times. To multiple agents.
The response, consistently, was some variation of: we cannot tell you which domain is associated with the account, and we cannot give you access until you complete domain verification.
So we needed access to complete verification. And we needed verification to get access.
We spent nearly three weeks going around this circle.
On 21st April, a Google support agent gave us a concrete path. We had to create a file named Google-Ads.txt, place a specific verification string inside it, and upload it to the root of our domain. We did this the same day. The agent checked and told us it was not being directed correctly. We fixed it and uploaded again. We were told it still was not accessible from Google’s end.
What we eventually discovered, weeks later, was that our Cloudflare configuration was causing redirect issues that prevented Google’s verification servers from reaching our website directly. Our site worked fine for every normal visitor. But Google’s crawlers were hitting a different routing path and getting nowhere.
This single technical issue, invisible to us for weeks, was the wall between us and our account.
The Moment That Still Sits With Us
On 13th May, a Google support agent sent us what should have been good news. Google had investigated the unauthorised spend and issued a credit to our account. We were told to check the Adjustments section under Billing.
We replied immediately. We could not check the Adjustments section. We could not check anything. We had no access to the account. We asked which account the credit had been applied to and how much it was.
The response was to advise us to contact the admin of the account to request access.
The admin of the account was the person who had stolen it.
That was the moment we stopped being measured in our replies. We wrote back:
“We have already submitted the form before a month ago. There is no update on this from your side. Please stop sending automated messages and try to understand the real-time problem from more than a month.”
We are not going to pretend we were not frustrated. But we also think that email was necessary. It was the first time in weeks that a response came back acknowledging the actual problem rather than redirecting us to a form we had already submitted.
Weeks of Escalations That Led Nowhere
From mid-May onwards, the pattern was consistent. Every email from Google contained an apology and a promise. The dedicated team had been notified. A response was expected in 3 to 5 business days.
We received that response, or something almost identical to it, at least six times.
Each time we waited. Each time nothing came. Each time we followed up, the case was escalated again, and the 3 to 5 business days reset.
Meanwhile our team was spending hours every day writing and reading support emails instead of managing campaigns. Clients were handling their own accounts. Some had paused activity entirely. Our credibility, which we had worked years to build, was being quietly eroded every week this continued.
We want to be honest about what those weeks felt like. There were days when we genuinely did not know if we would get the account back. There were conversations with clients that were very difficult to have. There was a real cost to this that went well beyond the financial.
What Finally Broke It Open
In early June, the Google support agent came back to the domain verification issue with renewed focus. Our website was still not reachable by Google’s servers. We went through our entire technical configuration, DNS records, Cloudflare firewall rules, redirect chains, server-side settings, and identified the specific configuration that was causing Google’s crawlers to be rerouted.
We fixed it on 4th June and wrote back:
“We have identified and resolved the underlying configuration that was preventing Google’s verification systems from consistently accessing our website. We have thoroughly reviewed our DNS configuration, Cloudflare settings, redirects, and server-side rules. Could you please reattempt the domain ownership verification?”
The next morning, at 5:38 AM, the agent confirmed the verification was successful and that Admin access had been restored.
Seventy days after the attack, we were back inside our own account.
If Your MCC Has Been Hijacked – Here Is Exactly What To Do
We are adding this section because it is the section we needed and could not find anywhere when we were going through this. Everything below comes directly from what we did, what failed, and what finally worked. If your account has been hijacked and you are reading this right now, this is for you.
The first thing to understand is that this process is not fast and it is not straightforward. Google’s recovery path for a compromised MCC has real structural flaws, the biggest one being that it asks you to verify domain ownership in order to regain access, while simultaneously refusing to tell you which domain to verify because you do not have access. We lived in that circle for three weeks. Knowing it exists before you enter it will save you a significant amount of time and frustration.
Here is what to do, in the order we would do it if we had to start again.
Step 1 – Report the Compromise to Google Immediately
Do not wait. The moment you realise your account has been compromised, contact Google Ads Support and report it specifically as an account compromise, not a general access issue. The distinction matters. Use the words “account compromise” and “unauthorised admin access” from the very first contact.
Go to support.google.com/google-ads and select the compromised account option. Fill in your account ID, the date of the compromise, the unauthorised email addresses that were added, and the nature of the fraudulent activity. Keep a copy of every submission you make.
Step 2 – Open One Strong Ticket and Stay With It
This was our biggest mistake in the first two weeks. We opened five tickets thinking volume would accelerate the process. It did not. Each new ticket created a new case with a new agent who had zero context for what had already been tried.
Find the one thread where a real agent is genuinely engaged with your specific problem and stay in that thread only. Reference the case ID in every follow-up. Quote back what previous agents promised and when they promised it. Make it impossible for the next agent to treat your case as a fresh inquiry.
Step 3 – Fix Your Cloudflare or Proxy Configuration Before Anything Else
This is the step that nobody writes about and it cost us six weeks. Read this carefully.
If your website runs through Cloudflare or any CDN, Google’s verification crawlers may not be able to reach your domain even though your site loads perfectly for normal visitors. Google’s servers operate on different IP ranges and can be silently blocked or rerouted by firewall rules and security settings you would never notice in normal use.
Before you tell your support agent the verification file is ready, do the following in your Cloudflare dashboard. Set your Security Level temporarily to Essentially Off. Check your Firewall Rules for anything blocking unfamiliar crawlers. Review your redirect rules for any chain that reroutes traffic unexpectedly. Under DNS, confirm your domain is resolving cleanly without proxy interference.
After making these changes, open the verification file URL directly in your browser and confirm you can see the plain text content. Only when you are sure it is accessible should you notify your agent.
Step 4 – Complete the Google-Ads.txt Domain Verification
When Google asks for domain verification, this is the method that works. Create a plain text file and name it exactly: Google-Ads.txt
Inside the file, paste this string with your own details filled in:
GooGhywoiu9839t543j0s7543uw1. Please grant Admin access for user [your email address] in Google Ads account [your 10-digit account ID] – Date [Month/DD/YYYY].
Upload it to the root of your website so it is accessible at yourdomain.com/Google-Ads.txt. Then reply to your support thread with the direct URL and specifically ask the agent to verify it. Do not assume they will check without prompting.
Step 5 – Follow Up Every 48 Hours Without Fail
Google’s dedicated account recovery team operates on longer timescales than general support and cases get parked when communication stops. Set a reminder to follow up every 48 hours. Every follow-up should reference your case ID, the date of your last meaningful response, the specific commitment the previous agent made, and the exact thing you are still waiting for. Be factual, be structured, and do not stop.
Step 6 – Request a Credit for the Unauthorised Spend
Once access is restored, do not assume the credit process is automatic. Contact support again and formally request a review of all unauthorised spend during the compromise period. Reference the fraudulent campaigns and billing charges by date and amount.
In our case, Google credited approximately €1,500 of the roughly €2,000 in fraudulent charges. The credit appeared in the Adjustments section of Billing under “Unauthorised account activity.” If you do not see it, ask explicitly which account it was applied to and what the exact amount was. If the credit is insufficient, escalate in writing with your cybercrime complaint reference number attached.
Step 7 – Secure Everything Before You Resume Operations
The moment you regain access, before you do anything else, change every password and enable two-factor authentication on every Google account connected to your MCC. Review your full user list and remove every email address you do not recognise. Audit every active campaign and pause or delete anything your team did not create.
Regaining access is not the same as the attacker being gone. Verify everything systematically before resuming normal operations.
Best Practices for Recovering From a Hack
If your Google Ads MCC has been hijacked, the first few hours matter more than anything else. Every minute of delay gives the attacker more time to spend, more time to cover their tracks, and more time to cause damage that is harder to reverse. This section is a practical recovery guide for any agency going through this right now. Follow these in order.
Secure All Connected Email Accounts First
Before anything else, secure every email account that has access to your Google Ads MCC. Change the passwords immediately on all of them. Enable two-factor authentication on every single one if it is not already active. Log out of all existing sessions on every device.
The attacker gained entry through an account credential. Until every connected email account is locked down and verified, the door they used is still open. Do not contact Google support, do not notify clients, do not do anything else until this step is done. Everything else depends on it.
Notify All Affected Clients Immediately
Do not wait until you have answers before contacting your clients. Contact every client whose account sits under your compromised MCC as soon as you have confirmed the breach. Tell them exactly what happened, what you know so far, and what you are doing about it. Ask them to check their accounts for any unauthorised campaigns or billing changes and report anything unusual back to you immediately.
Clients who are informed early are far more forgiving than clients who find out on their own. Silence during a crisis destroys trust faster than the crisis itself.
Contact Your Bank and Flag Potential Fraudulent Charges
Call your bank or payment provider immediately and inform them that your billing account connected to Google Ads has been compromised. Ask them to flag any unusual or large transactions for review and request that they temporarily block any new charges from Google Ads until the situation is resolved.
If fraudulent charges have already been processed, raise a formal dispute immediately. The sooner a dispute is raised, the stronger your position for a reversal. Banks treat early-reported fraud very differently from fraud reported weeks later.
Document Everything Before Anything Changes
The attacker will have left a trail inside your account, unauthorised users, new campaigns, billing changes, access logs. This trail is your evidence and it will not stay visible forever. Google’s system overwrites change history over time and campaigns get deleted during recovery.
Before you or Google make any changes to the account, take screenshots of everything you can access. Screenshot the user list, the active campaigns, the billing section, the change history, and any email notifications you received at the time of the breach. Save all of it in a dedicated folder with timestamps. This documentation will be critical when you raise a billing dispute, request a credit from Google, or need to demonstrate the extent of the damage.
Communicate With Google Effectively
When you contact Google support, use the words account compromise and unauthorised admin access from your very first message. These specific terms trigger a different internal review process than a general access or billing complaint.
Keep all your communication in a single support thread rather than opening multiple tickets. Every new ticket creates a new case with a new agent who has no context for your situation. In every follow-up, reference your case ID, quote the specific commitment the previous agent made, and state clearly what you are still waiting for. Follow up every 48 hours without fail. Be factual, be specific, and do not stop until the issue is resolved.
Handle Client Billing Disputes Promptly
For every client account that has been charged fraudulently, raise a formal billing dispute with Google in writing as soon as possible. Reference the specific dates, the campaign names created by the attacker, and the amounts charged. Ask Google to investigate the charges under their unauthorised account activity policy.
At the same time, advise your affected clients to contact their own banks and raise disputes for any charges they did not authorise. A dispute raised by the cardholder directly carries significant weight and can result in faster reversals than an agency raising it on their behalf.
Protect Unaffected Accounts While Recovery Is Ongoing
If some of your client accounts still have independent admin access outside of your compromised MCC, work with those clients immediately to disconnect their accounts from your MCC. This protects them from any further damage while recovery is underway and allows them to continue operating their campaigns without interruption.
For accounts that are still accessible, change all passwords, review the user lists, and remove any unfamiliar email addresses immediately. Do not wait for the MCC recovery to be complete before securing the accounts you can still reach.
Verify Domain Ownership the Right Way
Google will ask you to verify domain ownership as part of the account recovery process. The method that works is the Google-Ads.txt file verification. Create a plain text file named exactly Google-Ads.txt and place the following string inside it with your own details filled in:
GooGhywoiu9839t543j0s7543uw1. Please grant Admin access for user [your email address] in Google Ads account [your 10-digit account ID] – Date [Month/DD/YYYY].
Upload this file to the root directory of your website so it is accessible at yourdomain.com/Google-Ads.txt. Before you tell your support agent the file is ready, open the URL yourself in a browser and confirm you can see the plain text content clearly.
Check and Fix Your Server and CDN Settings
If your website runs through Cloudflare or any content delivery network, Google’s verification crawlers may not be able to reach your domain even though your website loads perfectly for normal visitors. This is one of the most common and least documented reasons why domain verification fails repeatedly.
Before notifying Google that your verification file is ready, go into your Cloudflare dashboard and temporarily set your Security Level to Essentially Off. Check your Firewall Rules for anything that might block or challenge unfamiliar crawlers. Review your redirect rules and DNS settings to confirm your domain is resolving cleanly. Test the verification file URL from a different network or device before proceeding. Only once you are certain the file is accessible should you ask Google to re-verify.
Audit Your Account Thoroughly Once Access Is Restored
The moment you regain access to your MCC, do not resume normal operations immediately. Treat the account as a crime scene that needs to be fully examined before it is used again.
Go through your complete user list and remove every email address you do not recognise. Check every linked client account for unauthorised users and remove them. Review all active campaigns and pause or delete anything that was not created by your team. Go to the Billing section and check the Adjustments tab for any credits issued by Google for unauthorised spend, if you do not see one, request it explicitly in writing. Check your payment methods and remove any that were added without your authorisation. Only once every element of the account has been reviewed and cleaned should you resume managing client campaigns.
What We Learned About Getting Through This
We are not going to pretend there was a single clever trick that worked. What worked was persistence, documentation, and eventually solving a technical problem we did not know existed.
But there are things we would do differently from Day 1 if this happened again, and we want to share them plainly.
Keep all your communication in as few threads as possible. Opening multiple tickets feels like it will speed things up. It does not. It creates confusion, fragments your case history, and means every new agent starts from scratch. Pick the thread where an agent is actively engaged and push hard on that one.
When you write to support, be specific and factual, not emotional. Our most effective emails were the ones that laid out, point by point, what had been promised, what had not been delivered, and exactly what we needed. Vague frustration produces templated replies. Specific, referenced requests force engagement.
If you use Cloudflare or any reverse proxy, check your configuration early. This is not obvious advice and we would never have thought to look there without weeks of elimination. But if Google’s verification servers cannot reach your domain, nothing else moves.
Do not stop. There were weeks when continuing felt pointless. Keep going. Keep following up. Keep referencing your case IDs and the commitments made in previous emails. The account can be recovered. It just takes longer than it should.
The Financial Reality
Our clients lost approximately €2,000 in unauthorised ad spend across their accounts. Google credited approximately €1,500 back, visible in the Adjustments section once we had access to verify it. The remaining gap is something we are still working through.
We are grateful the credit was issued. We are not going to pretend €500 and 70 days of disruption was a small thing.
What We Have Changed
Two-factor authentication is now mandatory on every Google account in our agency. MCC access is reviewed monthly. No new client account is linked without a video call and business registration verification first. Any request to link an account before a formal engagement is now treated as a red flag by default.
These are not complicated changes. Most of them should have already been in place. We are telling you now so you can put them in place before you need them.
To Every Agency Reading This
If you are in the middle of a recovery right now, it is possible to get your account back. It will take longer than Google’s timelines suggest. It will require more from you than it should. But it is possible.
And if you are not in the middle of one, secure your MCC today. Enable 2FA today. Audit your user list today. Not because something has gone wrong. Because something can.