30,000 Facebook Accounts Hacked via Google AppSheet Phishing Campaign

Vietnamese threat actors dubbed AccountDumpling leveraged Google AppSheet as a phishing relay to distribute credential-stealing emails targeting Facebook users. The campaign compromised approximately 30,000 accounts, which the group subsequently sold through their own illicit marketplace.

The attackers exploited AppSheet, Google's no-code application platform, to send phishing messages that appeared legitimate due to the trusted Google infrastructure. This technique bypassed email filtering systems and increased user trust in malicious links. Victims who clicked through landed on credential harvesting pages designed to mimic Facebook's login interface.

Once credentials were captured, AccountDumpling listed the compromised accounts for sale on underground forums and marketplaces. The operation demonstrates how threat actors abuse legitimate cloud services to establish trusted delivery channels for phishing campaigns. The scale of 30,000 stolen accounts underscores the effectiveness of this approach against mass audiences.

Defenders should implement FIDO2 authentication on Facebook accounts to prevent credential reuse attacks. Organizations should monitor for anomalous AppSheet activity and restrict third-party application permissions. Email security teams benefit from flagging messages originating from legitimate cloud services that route through unexpected infrastructure patterns.