Breaking: 30,000 Facebook Accounts Stolen via Google AppSheet Phishing Campaign
More than 30,000 Facebook accounts have been compromised in a sophisticated phishing campaign that exploits Google's AppSheet platform. The operation, tracked as AccountDumpling by cybersecurity firm Guardio, is linked to a Vietnamese threat group.
The attackers use Google AppSheet as a phishing relay, abusing the legitimate service to distribute malicious emails. Victims unknowingly enter their Facebook credentials on fake login pages, which are then harvested and sold through an underground storefront.
"This is a prime example of attackers monetizing a trusted tool to bypass security filters," said a Guardio researcher, speaking on condition of anonymity.
How the Attack Works
The phishing emails appear to come from trusted sources because they are routed through Google's infrastructure. When recipients click a link, they are directed to a Facebook-branded login page hosted on AppSheet.
Once credentials are entered, the attackers capture them and immediately use automated scripts to take over the accounts. Stolen profiles are then listed for sale on a dedicated illicit marketplace, sold in bulk to other cybercriminals.
Background
Google AppSheet is a no-code application development platform intended for businesses to create custom apps. The threat actors weaponize this trust by embedding phishing forms within legitimate-looking AppSheet apps.
Guardio first detected the campaign in early 2025, noting that the Vietnamese group had been active since at least late 2024. The scale of the operation suggests a well-resourced team with access to automated account takeover tools.
Similar abuse of cloud collaboration tools—like Google Docs, Microsoft SharePoint, or Dropbox—has been documented before, but this is the first large-scale campaign specifically targeting Facebook accounts through AppSheet.
What This Means
Users are urged to enable two-factor authentication on their Facebook accounts and avoid clicking links in unsolicited emails. Even if a link appears to come from a known service (like Google AppSheet), always verify the URL carefully.
Businesses relying on AppSheet for internal tools should audit their apps for any unauthorized forms or data-collection components. Google has not yet issued a public statement, but Guardio recommends disabling public access to AppSheet apps where possible.
The broader implication is that cybercriminals continuously adapt to evade detection by abusing trusted platforms. Organizations must stay vigilant and educate employees about phishing tactics that exploit legitimate cloud services.
Key Recommendations
- Enable two-factor authentication on all social media accounts.
- Do not click on email links requesting login credentials; manually navigate to the official site.
- IT teams should monitor for unusual AppSheet usage or unexpected account takeovers.
- Report suspicious emails to your organization's security team.
Guardio has shared technical indicators of compromise with law enforcement. The investigation is ongoing.