Google Ads Bug Likely Caused Google Merchant Center Data Breach

This could be called a major blunder for GMC.

Google Merchant Center (GMC), Google’s advertising and commerce analytics hub, has been inadvertently cross-transferring data — including unencrypted customer and product information — between accounts on the platform for at least two weeks, according to three e-commerce consultants and advertising agency executives who each manage multiple GMC accounts.

The issue was likely related to a major Google Ads service outage.

Ingvar Kraatz, co-founder and COO of advertising agency Bidnamic, reported the issue on LinkedIn, which was then published by Search Engine Land.

It’s important to note that each of the three Google Shopping ad experts who spoke to AdExchanger about the bug handles multiple GMC accounts. The bug appears to contaminate data across accounts handled by multi-account providers, such as agencies and consulting firms.

Providers managing multi-brand accounts use a login called “My Customer Center.” Two people told AdExchanger they believe the problem stems from an issue with MCC, as the feature is called.

A Google spokesperson told AdExchanger that the erroneous data appears because products in some GMC accounts were “inadvertently delivered from Google Ads campaigns from other advertisers.”

Regarding Google Ads and reporting outages on Thursday and Friday: “We’ve temporarily paused access to some reporting while we take the necessary steps to remove the invalid data and resolve the issue.”

The spokesperson assured that the accounts are working again and reporting correctly.

Is this just another glitch?

It’s hard to assess the extent of the damage when Google’s advertising platform goes down.

Google has provided almost no information about the bug. In typical Google style, it has barely acknowledged the bug beyond a post on X from Google Ads connector Ginny Marvin on Thursday during the outage.

“We are actively investigating an issue with Google Ads,” Marvin wrote.

This rather mild statement does not reflect the chaos prevailing on the ground.

“It was a rare and serious type of failure,” a source told AdExchanger.

Marvin noticed on X that many features were not working in the Google Ads web interface, including Report Editor, Dashboards, and Saved Reports. She also said that the Products, Product Groups, and Listing Groups pages were not working across the web interface, API, and Google Ads Editor.

All three AdExchanger sources independently theorized that the Google Ads outage was directly related to the GMC glitch.

All we have is a hunch

There is much speculation about the nature and extent of the fault at GMC.

But this isn’t the first time a systemic bug has left users without clear answers. A chronic problem for Google over the past few years has been its lack of accountability when its platform is at fault.

In March, Google refunded thousands of its DSP customers. To this day, apparently none of them know what the refunds were for, other than that some budgets were misspent something between July and December last year.

Likewise, it is not known whether the major Google Ads outage on Thursday was related to fixing the GMC bug.

The Google Ads bug may have been caused by the large-scale rollout of the new GMC account system, as the entire GMC customer base will be updated in August and all accounts are expected to be migrated by September.

It’s hard to believe that the latest glitch isn’t related to the new system, but that will remain speculation until Google addresses the issue.

Even when bugs waste tens or hundreds of millions of dollars, Google doesn’t disclose details about the nature or scope of those bugs, and only discloses them to customers when there’s a public pressure campaign to do so. This particular GMC bug, which resulted in competitor or other account information being shared, hasn’t been officially discussed by the company beyond its statement to AdExchanger.

The data that was improperly shared was not significant in terms of quantity, said one agency executive who has already begun sifting through the reports. It also was not unencrypted purchase data about individuals, but rather product feed information, item identifiers and other metadata that GMC attaches to ads.

It’s also unclear how Google will refund accounts since the seemingly random data from other merchants was actually products that were incorrectly displayed in that company’s Google Ads account.

This data leak was easy to miss, as many GMC account operators did for weeks. But some sellers may have paid for ads featuring competitor brand products.

What’s next?

Google Shopping ad agencies and vendors are still waiting to see if the issue has been resolved, despite assurances. They have also reviewed their reports to see if they were affected.

However, the reports needed to extract the data and observe this glitch were unavailable during the day on Friday.

“The idea is probably to prevent exactly that,” said a product advertising consultant.

He learned from AdExchanger that the incorrect data on one of his client’s accounts was likely the result of another merchant’s products being displayed in the wrong client’s Google Ads campaign. But when he returned to investigate further, GMC’s entire reporting system was down and hadn’t shown anything since.

“Can Google pull all the individual data points it put on other accounts?” one agency buyer asked. “Probably.”

What if one account was generating conversions by selling products from another account?

“I’m not sure how that will work,” he said.

The buyer told AdExchanger that its team is going back to see if any data is linked to an individual, such as a purchase or an ID, and not just the aggregated information exposed by metadata. Even if no individual data was compromised, what’s there could still be revealing about companies.

Bidnamic’s Kraatz noted in his LinkedIn post that his company was able to re-identify which other brands’ data had been leaked by looking for product information that matched data associated with his customer account. He said Bidnamic has begun encrypting this type of information on customer accounts in case it is shared.

At the time, he thought the data was simply appearing in the wrong place. Kraatz didn’t know that one seller was running ads for another account’s product feed.

The misshared data in GMC isn’t as revealing as customer information, the same agency buyer told me, and an advertiser couldn’t, say, use it to retarget someone. But it does show the kind of traffic, content and data a potential competitor is focusing on in their account.

“It’s a shame for everyone involved,” he said.