Google Ads Introduces Multi-Party Approval To Address Mass Adwords Hacking

Brett Tabkeon

It took us six months to begin to recover from what Google Ad account hackers did in under a minute to our Google Ads Account. When it was all done, we lost almost a third of our clients. -PPC Ads Agency

Google is rolling out a new account option in Google Ads called multi-party approval that requires a second admin  to sign off on higher-risk act changes.

If you have tuned into the socials for PPC’ers and SEO’s the last couple years, you know there have been some very high-profile accounts hacked. One firm we know of lost access to over 1000 Ads sub-accounts of clients. The hard part, is that Google was flat-out useless and mostly unresponsive at addressing the issue in any remotely timely manner. It took weeks upon weeks to resolve. Several of the business we talked to last year, say they simply will never fully recover from the Google account take overs.

Google’s multi-party approval is a security control is simply when  someone with admin access tries to perform a sensitive change such as adding or removing a user or updating user roles, the action doesn’t go through automatically. Instead, it triggers a request that another administrator must approve before the change takes effect.

Actions covered are those that affect account access and permissions. Read-only users aren’t included in this approval process.

Google Doc page on multi-admin approval.

How It Works in Practice

  • An admin initiates a account change.
  • The system generates a pending approval request.
  • Other eligible admins get a notification to review the request. Emails are not part of the process.
  • Another admin must approve or reject the change within 20 days, or the request expires.

If the request expires because no one takes action, you have to start the approval process again. Google won’t intervene or approve requests on behalf of account admins.

Once a decision is made, the status stays visible in the interface and is clearly labeled as Complete (approved), Denied (rejected), or Expired (timed out).

Until now, anyone with admin access could make sweeping changes without oversight. For agencies managing multiple client accounts, or for in-house teams where roles shift frequently, that has created a massive elemental platform risk.

Bottom Line

Google has finally added multi-party approval to tighten security around high-impact changes in Ads accounts. It doesn’t change bidding, reporting, or campaign performance, but it does change how teams manage account access. For agencies and advertisers who need tighter controls, this helps block unauthorized moves and reduce accidental disruptions.