Our Ads account had all user roles demoted to "Read Only" without any notifications, and there was no entry in the audit log. No other changes were made, and no unusual accounts or other changes were noted.
Turns out, we're not the only ones: https://support.google.com/google-ads/thread/385009035/all-admin-users-got-degraded-to-read-only-access-google-ads?hl=en
Google Ads' official stance right now is (in-verbatim):
"Please note that we have completed a preliminary review of the recent activity on your account. Based on this initial examination, we have not found evidence of unauthorized activity."
Which is interesting, considering that anywhere else, having everyone with ownership, administrative, management, or otherwise roles removed, with no paper trail to say how or why, would be ringing alarm bells.
Amusingly (or not), their identity protection, which we have enabled, states: "To protect your account against any unauthorised actions, you'll always be asked to verify that it's you when making important changes, like managing users ..."
Google Ads support appears to have either no understanding or a lack of concern about this issue, or they're hiding something. And if it really was "a security review", it's a very, very, strange way to go about it.
Finally, it appears that the incident occurred at exactly the same time as everyone else reported, around 10:00 AM UTC on October 31st. It might have been Halloween, and spooky, but it's certainly not fun.
Anyone else affected?