Massive Facebook Account Heist: Over 30,000 Compromised in New Google AppSheet Phishing Scheme

<h2>Breaking: 30,000 Facebook Accounts Stolen via Google AppSheet Phishing Campaign</h2> <p>More than 30,000 Facebook accounts have been compromised in a sophisticated phishing campaign that exploits Google's AppSheet platform. The operation, tracked as <strong>AccountDumpling</strong> by cybersecurity firm Guardio, is linked to a Vietnamese threat group.</p><figure style="margin:20px 0"><img src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilUS_xmTpvaJtwhFTnxsBtKSx2hWroMJKWUCKeB_CNx_9-5T85bdpqGfTZ0__XITi-i6ZnndaiiiFggf3Cgf-35KK-G6sEwvnlqom2DK6U-oH_o9GhEGNyd9kiSti-QC_dpl3v7b7IniC9kAUzV265yVbVsWAnLnH1RfQxrftUHj5MFAm03MOBw3Z6UEVb/s1600/phish.jpg" alt="Massive Facebook Account Heist: Over 30,000 Compromised in New Google AppSheet Phishing Scheme" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: feeds.feedburner.com</figcaption></figure> <p>The attackers use Google AppSheet as a <em>phishing relay</em>, abusing the legitimate service to distribute malicious emails. Victims unknowingly enter their Facebook credentials on fake login pages, which are then harvested and sold through an underground storefront.</p> <p>"This is a prime example of attackers monetizing a trusted tool to bypass security filters," said a Guardio researcher, speaking on condition of anonymity.</p> <h3>How the Attack Works</h3> <p>The phishing emails appear to come from trusted sources because they are routed through Google's infrastructure. When recipients click a link, they are directed to a Facebook-branded login page hosted on AppSheet.</p> <p>Once credentials are entered, the attackers capture them and immediately use automated scripts to take over the accounts. Stolen profiles are then listed for sale on a dedicated illicit marketplace, sold in bulk to other cybercriminals.</p> <h2 id="background">Background</h2> <p>Google AppSheet is a no-code application development platform intended for businesses to create custom apps. The threat actors weaponize this trust by embedding phishing forms within legitimate-looking AppSheet apps.</p> <p>Guardio first detected the campaign in early 2025, noting that the Vietnamese group had been active since at least late 2024. The scale of the operation suggests a well-resourced team with access to automated account takeover tools.</p><figure style="margin:20px 0"><img src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyqUz0-ifa8jE9rCzud3wzxmhcuzTp1VOWFEvGMoZXDYfaB_4459fPyvyQw7wvAnzjzDL09PkyJM83QGheO69fC3esg1WA7WnJ89i_t_q3K8DxYmgV__QujU8RWRnCK4MpbKqu8nwuMFfLaiRVHy_ov7IZ16hoKI3rIu-5BcISmqXPjlQU7N0sa4lWI-n-/s728-e100/wiz-d.png" alt="Massive Facebook Account Heist: Over 30,000 Compromised in New Google AppSheet Phishing Scheme" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: feeds.feedburner.com</figcaption></figure> <p>Similar abuse of cloud collaboration tools—like Google Docs, Microsoft SharePoint, or Dropbox—has been documented before, but this is the first large-scale campaign specifically targeting Facebook accounts through AppSheet.</p> <h2 id="what-this-means">What This Means</h2> <p>Users are urged to enable <strong>two-factor authentication</strong> on their Facebook accounts and avoid clicking links in unsolicited emails. Even if a link appears to come from a known service (like Google AppSheet), always verify the URL carefully.</p> <p>Businesses relying on AppSheet for internal tools should audit their apps for any unauthorized forms or data-collection components. Google has not yet issued a public statement, but Guardio recommends disabling public access to AppSheet apps where possible.</p> <p>The broader implication is that cybercriminals continuously adapt to evade detection by abusing trusted platforms. Organizations must stay vigilant and educate employees about phishing tactics that exploit legitimate cloud services.</p> <h3>Key Recommendations</h3> <ul> <li>Enable <strong>two-factor authentication</strong> on all social media accounts.</li> <li>Do not click on email links requesting login credentials; manually navigate to the official site.</li> <li>IT teams should monitor for unusual AppSheet usage or unexpected account takeovers.</li> <li>Report suspicious emails to your organization's security team.</li> </ul> <p>Guardio has shared technical indicators of compromise with law enforcement. The investigation is ongoing.</p>