Vietnamese Hackers Exploit Google AppSheet to Steal 30,000 Facebook Accounts
Massive Phishing Campaign Targets Facebook Users via Google AppSheet
More than 30,000 Facebook accounts have been compromised in a newly discovered phishing campaign linked to Vietnamese threat actors, security firm Guardio disclosed today. The attackers leveraged Google's AppSheet platform as a phishing relay to distribute malicious emails, bypassing traditional security filters.
The operation, code-named AccountDumpling, involves stealing credentials and then reselling the hijacked accounts through an illicit online storefront run by the same group. Guardio researchers say the campaign has been active for several months and continues to evolve.
“This campaign demonstrates how trusted platforms like Google AppSheet can be weaponized to carry out large-scale credential theft,” warned Guardio senior threat analyst Maria Chen. “Victims receive seemingly legitimate emails that mimic official Facebook notifications, but behind the scenes, their login details are being harvested.”
Background
The phishing campaign uses Google’s AppSheet, a no-code development platform primarily used for creating custom business applications. Attackers configure AppSheet bots to send mass emails that appear as routine notifications from Facebook, such as password reset prompts or security alerts.
When a user clicks a link in these emails, they are directed to a fake Facebook login page hosted on the attacker’s infrastructure. Any credentials entered are immediately stolen and logged in the AccountDumpling database. The stolen accounts are then sold on a dedicated marketplace that offers bulk purchases at aggressive prices, with some accounts going for as little as $0.10 each.
Key Tactics Used by Threat Actors
- Bypassing security filters – Emails sent via AppSheet’s official infrastructure appear legitimate and often evade spam filters.
- Social engineering – Messages weaponize urgency and fear, prompting users to enter credentials without verifying the source.
- Automated resale – Stolen accounts are cataloged and sold within hours, making recovery difficult for victims.
What This Means
This attack highlights a growing trend where cybercriminals abuse legitimate cloud services to carry out phishing. Google has acknowledged the misuse and is working to strengthen AppSheet’s security protocols. However, Guardio warns that the threat remains active.
For Facebook users, the incident underscores the importance of using strong, unique passwords and enabling two‑factor authentication. Businesses that rely on Facebook for marketing or customer engagement risk losing not only their accounts but also associated data and brand reputation.
“This is a wake‑up call,” said Chen. “Even trusted services can be turned against us. Users must remain skeptical of any unsolicited email that asks for login credentials, no matter how genuine it may appear.”
Guardio has shared indicators of compromise with Facebook and Google, and recommended immediate account reviews for affected users. The investigation is ongoing, and security experts urge anyone who receives suspicious emails to report them to phishing@guardio.com.
Related Articles
- 10 Things 45 Days of Monitoring Your Own Tools Reveals About Your Attack Surface
- How Mozilla's Mythos AI Found 271 Firefox Vulnerabilities with Minimal False Positives
- The Expanding Role of Frontier AI in Next-Generation Cybersecurity
- 10 Key Takeaways from Pwn2Own Berlin 2026: Day 2 Exploits Expose Critical Flaws
- How Hacker News Commenters Reveal the Best Coding Models: An Automated Analysis
- 8 Critical Facts About the New xlabs_v1 Botnet Hijacking IoT Devices via ADB
- Framework’s Living Room Keyboard: A Wireless TouchPad Solution for Couch Computing
- Critical PAN-OS Zero-Day Under Active Exploitation: Urgent Patch Required