Call Us For A AreWeAFit Consultation (954) 507-3475
Giaspace | IT Services Fort Lauderdale & Miami
Get An Estimate

A marketing agency we work with got hacked in October. The damage? $19,000 in fraudulent Google Ads charges in 48 hours.

The scary part? Their IT team had no idea it was happening.

At 1 AM on October 11th, hackers broke into one of their computers using stolen VPN credentials. By the time anyone noticed, fraudulent ads for phone holders and sneakers were running on our Google Ads account (charging our credit card for products we’d never heard of).

Over a million ad impressions and multiple fraudulent campaigns, all launched within hours.

How It Happened

The attackers got in through a compromised VPN. No multi factor authentication. Just a username and password (and once they had that…they had everything).

Security camera footage confirmed no employees were in the office during the attack. The hacker worked remotely, installing Google Ads Editor and manipulating campaigns for multiple clients.

The reconnaissance started back in September. There were suspicious software installations and VPN logins from external IPs during off hours, but none of it triggered alerts (because their monitoring software wasn’t catching it).

By October 21st, fraudulent campaigns went live. Budgets escalated. Charges hit our card. And nobody at the agency even knew until we called…

What Went Wrong

No multi factor authentication on the VPN

Stolen credentials were enough to get full access. One compromised password and the attacker was inside the network.

Weak monitoring software

When we asked their IT team how hackers got in without detection, they started listing software we’d never heard of. The tools they were using simply weren’t catching the activity.

Shared admin accounts

Their Google Workspace account had broad access to all client advertising accounts. One compromised account meant access to everyone’s campaigns.

Delayed response

We sent them our monitoring software on a Friday. Their IT guy waited until Monday to install it (even though we told him the hacker might still be in the network).

What Happened When They Finally Installed Real Monitoring

The second our software went live, it locked everything down and flagged an active threat.

The hacker was still in the network days after the initial breach; still accessing their systems (because their existing tools hadn’t caught it).

We traced the activity back to IP addresses in Iceland and a mobile home park in the US. The attacker had been moving through their systems for weeks.

The Lessons

  1. Multi factor authentication stops most attacks before they start. Stolen passwords are worthless if attackers can’t get past the second authentication step.
  2. Your monitoring software matters. Weak tools give you a false sense of security. If your software isn’t catching threats in real time, you’re blind to what’s happening.
  3. Shared admin accounts spread damage fast. When one compromised account grants access to multiple clients or systems, containment becomes nearly impossible.
  4. Delayed response makes everything worse. Waiting days to investigate gives attackers more time to move through your systems and cause damage.
  5. You need 24/7 visibility. Off hours attacks are common because hackers know most businesses aren’t watching. Real time monitoring catches threats when they happen (not days later).

The Financial Fallout

Google charged $15,000 but only refunded $10,000. They claimed $5,000 was still owed. The dispute took weeks to resolve (and the agency is still dealing with financial impact and reputational damage).

The attack was completely preventable. Multi factor authentication would have stopped the VPN breach. Better monitoring would have caught the suspicious activity in September.

But none of those things were in place.

The Bottom Line

This wasn’t a sophisticated attack. The hacker used stolen credentials and legitimate tools that didn’t trigger alarms.

The agency had IT support, they had monitoring software, and they thought they were protected.

They weren’t. And weak monitoring turned a preventable incident into a $19,000 disaster.

Is Your Business Protected From Credential Theft and Unauthorized Access?

GiaSpace provides 24/7 monitoring, multi factor authentication implementation, and real time threat detection that catches attacks before damage happens.

📞 Schedule your free security assessment and make sure your security can actually stop threats.

Published: Dec 3, 2025

author avatar
Gabriela Noce
Gabriela Noce is the Chief Marketing Officer at GiaSpace, leading branding, digital strategy, and performance marketing to drive business growth. With expertise in content marketing, SEO, and creative campaigns, Gabriela translates complex IT topics into clear, relevant content for business leaders. She brings a data-driven mindset to ensure GiaSpace's messaging is helpful and client-focused.
See Full Bio
social network icon

Latest Blog Posts

When our Marketing Agency’s IT Provider Failed: $19K Lost

When our Marketing Agency’s IT Provider Failed: $19K Lost

Read More
What Happens When Your Cybersecurity Takes a Holiday Break?

What Happens When Your Cybersecurity Takes a Holiday Break?

Read More
The Black Friday Scam Surge Has Begun

The Black Friday Scam Surge Has Begun

Read More
Read The GiaBlog

GiaSpace's Proven Track Record Of Success

Friedman CPA Group

Friedman CPA Group

Read More
Mickey Truck Bodies

Mickey Truck Bodies

Read More
FiscalChimp Accounting

FiscalChimp Accounting

Read More
Cain Food Industries, Inc.

Cain Food Industries, Inc.

Read More
Read More Case Studies

Proven IT Results, Verified by Reviews