Saturday, November 9, 2024

A Google Ads Glitch Likely Triggered A Data Breach Within Google Merchant Center | AdExchanger

Must read

Call it a major GMC oopsey.

Google Merchant Center (GMC), Google’s hub for commerce advertising and analytics, has been accidentally cross-pollinating data – including unencrypted customer and product info – between accounts on the platform going back at least two weeks, according to three ecommerce consultants and ad agency execs who each manage numerous GMC accounts.

The issue was likely related to a massive Google Ads outage.

Ingvar Kraatz, co-founder and COO of Bidnamics, a shopping ads agency, flagged the problem on LinkedIn, and it was subsequently reported by Search Engine Land.

It’s important to note that each of the three Google shopping ads experts who spoke with AdExchanger about the glitch operate multiple GMC accounts. The glitch appears to be polluting data between accounts operated by multi-account vendors, such as agencies and consultancies.

Vendors that manage accounts for many brands use a sign-in called “My Client Center.” Two people told AdExchanger they believe that the issue stems from a problem with MCC, which is what this feature is called.

A Google spokesperson told AdExchanger that the errant data was appearing because products in some GMC accounts had been “inadvertently served from other advertisers’ Google Ads campaigns.”

As for the Google Ads and reporting outages on Thursday and Friday: “We temporarily paused access to certain reports as we took the necessary steps to remove the incorrect data and resolve this issue.”

Accounts are back to serving and reporting correctly, according to the spokesperson.

Just another glitch?

It can be hard to determine the extent of the damage when Google’s ad platform goes haywire.


Subscribe

AdExchanger Daily

Get our editors’ roundup delivered to your inbox every weekday.

Google has provided next to no information about this bug. In typical Google fashion, it barely even acknowledged the glitch exists beyond a post on X from Google Ads liaison Ginny Marvin on Thursday during the outage.

“We’re actively looking into an issue with Google Ads,” Marvin posted.

That rather anodyne statement doesn’t reflect the chaos on the ground.

“This was a rare and major type of outage,” one source told AdExchanger.

Marvin noted on X that multiple features were down in the Google Ads web interface, including Report Editor, Dashboards and Saved Reports. She also said that the Products, Product Groups and Listing Groups pages were down across the web interface, API and Google Ads Editor.

All three AdExchanger sources independently theorized that this Google Ads outage was directly related to the GMC glitch.

All we have is a hunch

There is a great deal of speculation about the nature and extent of the glitch within GMC.

But this isn’t the first time a system bug has left users without clear answers. A chronic problem with Google over the past couple years is a lack of accountability when its platform is at fault.

In March, Google issued refunds to thousands of its DSP customers. To this day, seemingly none of them know what the refunds were for, other than that certain budgets had been misspent on something between July and December of last year.

Likewise, it is unknown whether the broad Google Ads outage on Thursday was related to fixing a GMC bug.

The Google Ads bug could have been caused by the major rollout of a new GMC account system, since the entire GMC customer base is being upgraded in August, with all customers to be migrated by September.

It strains credulity to imagine that the recent glitch is unrelated to the new system rollout. But it will remain speculation for as long as Google doesn’t address the issue.

Even when glitches cause tens or hundreds of millions of dollars to be misspent, Google makes a practice of not detailing the nature or extent of these bugs, and will only disclose them to clients when there is a public pressure campaign to do so. This specific GMC glitch, whereby competitor or other account info was being shared, hasn’t been officially addressed by the company at all beyond its background statement to AdExchanger.

The data that was improperly shared wasn’t material in terms of quantity, said one agency exec who has already begun combing through reports. It also wasn’t unencrypted purchase data about individuals, but rather product feed info, item IDs and other metadata that GMC attaches to ads.

It is also unclear how Google will refund accounts, since the seemingly random data points from other sellers were actually products mistakenly served by that business’s Google Ads account.

This data leakage was easy to miss, as many GMC account operators did for a couple weeks. But some merchants may have paying for ads carrying the products of a competitor’s brand.

What’s next?

Google shopping ad agencies and vendors are still waiting to see whether the problem has been fixed, despite assurances. They’re also going through their reports to see whether they’d been affected.

However, the reports they need in order to pull the data so as to observe this glitch were down during the day on Friday.

“Probably to prevent exactly this from happening,” said one shopping ads consultant.

He learned from AdExchanger that errant data in one of his customer’s accounts was probably the result of another seller’s products being served in the wrong client’s Google Ads campaign. But when he went back to investigate further, the whole system for GMC reports was down, and hasn’t shown anything since.

“Can Google pull back all the individual data points it’s put into other accounts?” asked one agency buyer. “Probably.”

But what if one account was converting on sales of another account’s products?

“Not sure how that will work,” he said.

The buyer told AdExchanger that their team is going back to see if any of the data is attached to an individual, like a purchase or ID, rather than only aggregated info revealed by metadata. Even if no individual data has been compromised, what’s there could still be revealing about companies.

Kraatz of Bidnamics noted in his LinkedIn post that his company was able to reidentify which other brand data had leaked from by looking for product info that matched the data being associated with his client account. He said Bidnamics has begun encrypting that type of information within its client accounts in case it’s being shared.

At the time, he thought data was simply populating in the wrong place. Kraatz was unaware one seller was serving ads for another account’s product feed.

The improperly shared data in GMC is not as revealing as customer info, that same agency buyer told me, and an advertiser couldn’t, say, use it to retarget someone. But it shows the type of traffic, content and data a potential competitor focuses on in its account.

“It’s embarrassing for all involved,” he said.

Latest article