Vietnamese Hackers Exploit Google AppSheet to Steal 30,000 Facebook Accounts

Massive Phishing Campaign Targets Facebook Users via Google AppSheet

More than 30,000 Facebook accounts have been compromised in a newly discovered phishing campaign linked to Vietnamese threat actors, security firm Guardio disclosed today. The attackers leveraged Google's AppSheet platform as a phishing relay to distribute malicious emails, bypassing traditional security filters.

The operation, code-named AccountDumpling, involves stealing credentials and then reselling the hijacked accounts through an illicit online storefront run by the same group. Guardio researchers say the campaign has been active for several months and continues to evolve.

“This campaign demonstrates how trusted platforms like Google AppSheet can be weaponized to carry out large-scale credential theft,” warned Guardio senior threat analyst Maria Chen. “Victims receive seemingly legitimate emails that mimic official Facebook notifications, but behind the scenes, their login details are being harvested.”

Background

The phishing campaign uses Google’s AppSheet, a no-code development platform primarily used for creating custom business applications. Attackers configure AppSheet bots to send mass emails that appear as routine notifications from Facebook, such as password reset prompts or security alerts.

When a user clicks a link in these emails, they are directed to a fake Facebook login page hosted on the attacker’s infrastructure. Any credentials entered are immediately stolen and logged in the AccountDumpling database. The stolen accounts are then sold on a dedicated marketplace that offers bulk purchases at aggressive prices, with some accounts going for as little as $0.10 each.

Key Tactics Used by Threat Actors

• Bypassing security filters – Emails sent via AppSheet’s official infrastructure appear legitimate and often evade spam filters.
• Social engineering – Messages weaponize urgency and fear, prompting users to enter credentials without verifying the source.
• Automated resale – Stolen accounts are cataloged and sold within hours, making recovery difficult for victims.

What This Means

This attack highlights a growing trend where cybercriminals abuse legitimate cloud services to carry out phishing. Google has acknowledged the misuse and is working to strengthen AppSheet’s security protocols. However, Guardio warns that the threat remains active.

For Facebook users, the incident underscores the importance of using strong, unique passwords and enabling two‑factor authentication. Businesses that rely on Facebook for marketing or customer engagement risk losing not only their accounts but also associated data and brand reputation.

“This is a wake‑up call,” said Chen. “Even trusted services can be turned against us. Users must remain skeptical of any unsolicited email that asks for login credentials, no matter how genuine it may appear.”

Guardio has shared indicators of compromise with Facebook and Google, and recommended immediate account reviews for affected users. The investigation is ongoing, and security experts urge anyone who receives suspicious emails to report them to phishing@guardio.com.