Facebook Accounts Hacked via Google AppSheet Phishing Campaign

/MEDIUM
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW threat-intelvulnerabilityphishing
Facebook Accounts Hacked via Google AppSheet Phishing Campaign

A Vietnamese-linked operation, dubbed “AccountDumpling” by Guardio, has compromised approximately 30,000 Facebook accounts. The Hacker News reports that attackers are leveraging Google AppSheet as a “phishing relay” to distribute malicious emails designed to steal Facebook credentials. This sophisticated use of a legitimate cloud service for phishing bypasses traditional email security controls, making detection challenging for many organizations.

Once compromised, these Facebook accounts are not just for social engineering; The Hacker News indicates they are being sold through illicit online storefronts operated by the threat actors. This monetization strategy underscores the financial motivation behind the campaign, turning stolen access into direct profit for the attackers. The scale of 30,000 accounts signifies a significant, ongoing operation, not just a one-off attack.

This campaign highlights a critical shift in attacker tactics: abusing trusted platforms to lend legitimacy to phishing attempts. Defenders need to recognize that the mere presence of a Google domain in a URL no longer guarantees safety. Attackers are constantly evolving, finding new ways to weaponize legitimate infrastructure against unsuspecting users.

What This Means For You

  • If your organization relies on Facebook for business or marketing, or if your employees use Facebook, this campaign directly impacts your security posture. Remind all users about the dangers of unsolicited emails, even if they appear to originate from legitimate services like Google. Emphasize multi-factor authentication (MFA) for all Facebook accounts and any associated business pages. Attackers are not just going for personal data; they're looking for access to broader networks.

Related ATT&CK Techniques

T1566.002 Phishing: Spearphishing Attachment Initial Access T1534 Internal Spearphishing Initial Access T1071.001 Web Protocols: Web Protocol Command and Control

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1566.002 Initial Access

AccountDumpling Phishing via Google AppSheet

Sigma YAML — free preview

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
AccountDumpling Phishing Google AppSheet used as a phishing relay
AccountDumpling Phishing Compromise of Facebook accounts
AccountDumpling Information Disclosure Stolen Facebook account credentials

Written by SCW Vulnerability Desk

Take action on this incident
📡 Monitor facebook.com Free · 1 watchlist slot · instant alerts on new breaches 🔍 Threat intel on Facebook All breaches, IOCs & vendor exposure

Related coverage on Facebook

Featured

Daily Security Digest — 2026-05-01

2 vulnerability disclosures (2 High) and 1 curated intelligence stories from 1 sources.

daily-digestvulnerabilityCVEhigh-severitycwe-20cwe-269command-injectioncwe-77cwe-78phishing
/SCW Daily Digest /HIGH

Instructure Canvas Breach: Social Engineering Exploits Salesforce Instance

Edtech provider Instructure, known for its Canvas learning management system, has confirmed a data breach stemming from a social engineering attack. The attackers successfully compromised...

threat-inteldata-breachmalwarephishing
/SCW Research /HIGH /⚙ 3 Sigma

Scattered Spider Arrest, OFAC Hits Iran Crypto, NSA Tool Vulnerability

SecurityWeek reports several critical developments that defenders should track. The arrest of a Scattered Spider hacker is a significant win, but this group remains a...

threat-intelvulnerabilitydata-breachmicrosofttools
/SCW Vulnerability Desk /HIGH /⚑ 1 IOC