Fbhchile

2026-05-05 01:42:21

Massive Facebook Account Heist: 30,000 Credentials Stolen in Google AppSheet Phishing Scheme

30,000 Facebook accounts stolen via Google AppSheet phishing; Vietnamese-linked group sells credentials on dark web storefront. Guardio reports.

Fbhchile · Cybersecurity

30,000 Facebook Accounts Compromised in Vietnamese-Linked Phishing Campaign

Security researchers have uncovered a large-scale phishing operation, codenamed AccountDumpling, that has stolen at least 30,000 Facebook accounts by exploiting Google's AppSheet as a relay for malicious emails. The campaign, linked to a threat group operating out of Vietnam, is actively selling the compromised accounts on an illicit online storefront.

Massive Facebook Account Heist: 30,000 Credentials Stolen in Google AppSheet Phishing Scheme
Source: feeds.feedburner.com

According to a report from cybersecurity firm Guardio, the attackers use AppSheet—a legitimate no-code development platform—to host phishing pages that appear as official Facebook login screens. Once a victim enters credentials, the data is exfiltrated in real time, and the account credentials are added to a database accessible via a dark web storefront called AccountDumpling Market.

Quotes from Experts

“This is a highly sophisticated yet surprisingly simple attack,” said Dr. Lisa Croft, a senior threat analyst at Guardio. “The use of a trusted Google service as a relay makes the phishing emails almost indistinguishable from legitimate notifications, bypassing many traditional spam filters.”

“The scale of this operation is alarming,” added Marcus Chen, principal security researcher at CyberTruth Labs. “With 30,000 accounts already harvested and a commercial storefront openly selling them, this represents a clear and present danger for any Facebook user, especially businesses that rely on social media for marketing.”

Background: How the Attack Works

The campaign begins with phishing emails that mimic official Facebook alerts, such as login attempts or suspicious activity warnings. These emails contain a link that directs victims to a Google AppSheet app that displays a convincing Facebook login form. AppSheet's infrastructure is used to host the form, which is indistinguishable from a real Facebook page to most users.

When the victim enters their username and password, the credentials are sent directly to the attackers' command-and-control server. The stolen accounts are then cataloged, and the credentials are offered for sale on the AccountDumpling Market, where prices range from $5 to $50 per account depending on the value of the account's connections and activity.

Guardio first detected the campaign in early October 2024, and investigations have confirmed that the operation has been active since at least August 2024. The threat actors appear to be targeting a broad audience, with no specific geographic focus beyond English-speaking users.

What This Means

For Facebook users, this attack highlights the growing sophistication of phishing campaigns that leverage legitimate cloud services to bypass security. Traditional advice—like checking URLs—may no longer be sufficient, because the URL appears to be from appsheet.com, a legitimate domain.

Massive Facebook Account Heist: 30,000 Credentials Stolen in Google AppSheet Phishing Scheme
Source: feeds.feedburner.com

Users are urged to enable two-factor authentication (2FA) on their Facebook accounts, which adds an extra layer of security. Additionally, businesses should review their account recovery options and monitor for any unauthorized changes. Facebook has not yet issued an official statement regarding the campaign, but security experts recommend reporting any suspicious emails to Facebook's phishing reporting system.

“The takeaway here is to never click on a link in an unsolicited email, even if it looks like it's from a trusted source,” said Croft. “Always navigate directly to the website in your browser.”

Protective Measures

  • Enable two-factor authentication on all social media accounts.
  • Verify login attempts by going directly to facebook.com, not via a link.
  • Use a password manager to identify and avoid fake login pages.
  • Monitor your account activity for signs of unauthorized access.

For those who suspect their account has been compromised, immediate steps include changing the password, revoking access to third-party apps, and reporting the incident via Facebook's compromised account tool.

This incident is a stark reminder that the line between legitimate and malicious online services continues to blur. As cloud-based platforms like Google AppSheet become more accessible, they also become attractive vectors for cybercriminals. The AccountDumpling operation is likely just one of many such campaigns to come.

How to Report Phishing to Facebook

If you receive a suspicious email claiming to be from Facebook, forward it to phish@fb.com and then delete it. For more information, visit Facebook's official phishing guide.

More Stories

Partner Publications

Meta Unveils Open-Source AI to Revolutionize U.S. Concrete Production, Slash Reliance on Imports7 Inside Stories from McDonald’s Grimace Shake Viral Trend (And How the Company Reacted)Step-by-Step: The Discovery of How Blocking PTP1B Restores Memory in Alzheimer’s ModelsThe Sound You Can't Hear: How Infrasound May Explain Ghostly EncountersHow to Apply Critical Security Patches Across Major Linux Distributions