Phishing campaign using Google AppSheet compromises 30,000 Facebook accounts

The new threat: AccountDumpling and the abuse of legitimate platforms

Digital security is facing a new challenge following the discovery of a sophisticated phishing campaign dubbed AccountDumpling. Researchers at Guardio have alerted the public to an operation of Vietnamese origin that uses the Google AppSheet platform as a "relay" to distribute malicious emails, successfully compromising approximately 30,000 Facebook accounts.

The use of legitimate no-code development tools allows attackers to evade traditional security filters, as the emails appear to originate from trusted domains. This tactic demonstrates how human vulnerability remains the weakest link, even when attackers employ trusted infrastructure to mask their intentions.

The cybercrime ecosystem and data monetization

This hack is not an isolated incident, but rather part of an industrialized cybercrime chain. Once attackers take control of the accounts, they are not used solely for direct identity theft; instead, they are listed for sale in an illicit storefront managed by the same actors.

"The attackers have turned profile hijacking into an automated business model, where account access is the primary commodity," note Guardio experts.

Although this attack focuses on credential theft, it is essential to remember that the exposure of personal data is often a precursor to more serious attacks, including the deployment of ransomware in corporate environments if the compromised profiles have administrative permissions on business social media networks. As we have seen in other incidents, such as the critical vulnerability in cPanel and the associated hacking risk, the attack surface is constant and multi-vector.

Recommendations for protecting your digital identity

To avoid falling for these types of scams, it is vital to follow these guidelines:

1. Two-Factor Authentication (2FA): Always use authenticator apps or physical security keys instead of SMS.
2. Verify senders: Do not blindly trust emails, even if they use well-known corporate platforms like Google AppSheet.
3. Activity monitoring: Periodically review the devices connected to your Facebook account and close any unknown sessions.

The sophistication of these campaigns underscores the need for a proactive security posture. Technology, while powerful, can be used against us if proper digital hygiene protocols are not maintained.

Sources:

• The Hacker News (https://thehackernews.com/2026/05/30000-facebook-accounts-hacked-via.html)