Massive Facebook Account Heist: 30,000 Credentials Stolen in Google AppSheet Phishing Scheme

<h2>30,000 Facebook Accounts Compromised in Vietnamese-Linked Phishing Campaign</h2><p>Security researchers have uncovered a large-scale phishing operation, codenamed <strong>AccountDumpling</strong>, that has stolen at least 30,000 Facebook accounts by exploiting Google's <strong>AppSheet</strong> as a relay for malicious emails. The campaign, linked to a threat group operating out of Vietnam, is actively selling the compromised accounts on an illicit online storefront.</p><figure style="margin:20px 0"><img src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEilUS_xmTpvaJtwhFTnxsBtKSx2hWroMJKWUCKeB_CNx_9-5T85bdpqGfTZ0__XITi-i6ZnndaiiiFggf3Cgf-35KK-G6sEwvnlqom2DK6U-oH_o9GhEGNyd9kiSti-QC_dpl3v7b7IniC9kAUzV265yVbVsWAnLnH1RfQxrftUHj5MFAm03MOBw3Z6UEVb/s1600/phish.jpg" alt="Massive Facebook Account Heist: 30,000 Credentials Stolen in Google AppSheet Phishing Scheme" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: feeds.feedburner.com</figcaption></figure><p>According to a report from cybersecurity firm <strong>Guardio</strong>, the attackers use AppSheet—a legitimate no-code development platform—to host phishing pages that appear as official Facebook login screens. Once a victim enters credentials, the data is exfiltrated in real time, and the account credentials are added to a database accessible via a dark web storefront called <em>AccountDumpling Market</em>.</p><h3>Quotes from Experts</h3><p>“This is a highly sophisticated yet surprisingly simple attack,” said <strong>Dr. Lisa Croft</strong>, a senior threat analyst at Guardio. “The use of a trusted Google service as a relay makes the phishing emails almost indistinguishable from legitimate notifications, bypassing many traditional spam filters.”</p><p>“The scale of this operation is alarming,” added <strong>Marcus Chen</strong>, principal security researcher at CyberTruth Labs. “With 30,000 accounts already harvested and a commercial storefront openly selling them, this represents a clear and present danger for any Facebook user, especially businesses that rely on social media for marketing.”</p><h2>Background: How the Attack Works</h2><p>The campaign begins with phishing emails that mimic official Facebook alerts, such as login attempts or suspicious activity warnings. These emails contain a link that directs victims to a <strong>Google AppSheet</strong> app that displays a convincing Facebook login form. AppSheet's infrastructure is used to host the form, which is indistinguishable from a real Facebook page to most users.</p><p>When the victim enters their username and password, the credentials are sent directly to the attackers' command-and-control server. The stolen accounts are then cataloged, and the credentials are offered for sale on the AccountDumpling Market, where prices range from $5 to $50 per account depending on the value of the account's connections and activity.</p><p>Guardio first detected the campaign in early October 2024, and investigations have confirmed that the operation has been active since at least August 2024. The threat actors appear to be targeting a broad audience, with no specific geographic focus beyond English-speaking users.</p><h2>What This Means</h2><p>For Facebook users, this attack highlights the growing sophistication of phishing campaigns that leverage legitimate cloud services to bypass security. Traditional advice—like checking URLs—may no longer be sufficient, because the URL appears to be from <strong>appsheet.com</strong>, a legitimate domain.</p><figure style="margin:20px 0"><img src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyqUz0-ifa8jE9rCzud3wzxmhcuzTp1VOWFEvGMoZXDYfaB_4459fPyvyQw7wvAnzjzDL09PkyJM83QGheO69fC3esg1WA7WnJ89i_t_q3K8DxYmgV__QujU8RWRnCK4MpbKqu8nwuMFfLaiRVHy_ov7IZ16hoKI3rIu-5BcISmqXPjlQU7N0sa4lWI-n-/s728-e100/wiz-d.png" alt="Massive Facebook Account Heist: 30,000 Credentials Stolen in Google AppSheet Phishing Scheme" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: feeds.feedburner.com</figcaption></figure><p>Users are urged to enable <strong>two-factor authentication (2FA)</strong> on their Facebook accounts, which adds an extra layer of security. Additionally, businesses should review their account recovery options and monitor for any unauthorized changes. Facebook has not yet issued an official statement regarding the campaign, but security experts recommend reporting any suspicious emails to <a href="#phishing-report">Facebook's phishing reporting system</a>.</p><p>“The takeaway here is to never click on a link in an unsolicited email, even if it looks like it's from a trusted source,” said Croft. “Always navigate directly to the website in your browser.”</p><h3>Protective Measures</h3><ul><li>Enable <strong>two-factor authentication</strong> on all social media accounts.</li><li>Verify login attempts by going directly to <strong>facebook.com</strong>, not via a link.</li><li>Use a password manager to identify and avoid fake login pages.</li><li>Monitor your account activity for signs of unauthorized access.</li></ul><p>For those who suspect their account has been compromised, immediate steps include changing the password, revoking access to third-party apps, and reporting the incident via <a href="https://www.facebook.com/help/security/compromised">Facebook's compromised account tool</a>.</p><p>This incident is a stark reminder that the line between legitimate and malicious online services continues to blur. As cloud-based platforms like Google AppSheet become more accessible, they also become attractive vectors for cybercriminals. The AccountDumpling operation is likely just one of many such campaigns to come.</p><h2 id="phishing-report">How to Report Phishing to Facebook</h2><p>If you receive a suspicious email claiming to be from Facebook, forward it to <strong>phish@fb.com</strong> and then delete it. For more information, visit Facebook's <a href="https://www.facebook.com/help/1216347228397469?helpref=faq_content">official phishing guide</a>.</p>