A Vietnamese-linked hacking operation turned Google’s own AppSheet platform into a phishing relay, compromising roughly 30,000 Facebook accounts and reselling them on the dark web in what security researchers are calling a brazen exploitation of trusted infrastructure.
The scheme, codenamed AccountDumpling by Guardio Labs, exposes a critical vulnerability in how legitimate cloud platforms can be weaponized by attackers. Rather than building their own phishing infrastructure, the hackers leveraged Google AppSheet—a low-code application development platform owned by Google—to distribute phishing emails at scale. The stolen accounts are now being sold through an illicit storefront operated by the threat actors themselves.
- The Platform Exploit: Hackers used Google’s own AppSheet infrastructure to send phishing emails, exploiting user trust in Google domains.
- The Scale: 30,000 Facebook accounts were compromised and are now being sold on dark web marketplaces.
- The Business Model: The operation runs end-to-end from credential theft to account resale, generating ongoing criminal revenue.
Google AppSheet is designed to help businesses build applications without extensive coding. Its accessibility and legitimacy made it an ideal vector for the attackers. By routing phishing emails through AppSheet, the hackers exploited the trust users place in Google’s domain and infrastructure. Recipients saw emails appearing to come from a Google-associated service, dramatically increasing the likelihood they would click malicious links or enter their credentials.
How Did Hackers Turn Google’s Platform Into a Phishing Tool?
Guardio’s research indicates the operation systematically targeted Facebook users over a period of time, with the phishing emails designed to harvest login credentials. Once the attackers obtained valid Facebook account credentials, they gained direct access to the accounts themselves. The scale—30,000 compromised accounts—suggests this was not a narrow, targeted attack but a broad campaign designed to generate inventory for resale.
The stolen accounts are now being marketed on dark web storefronts controlled by the same threat actors. This secondary monetization layer is significant: the hackers aren’t just stealing data for immediate use or to sell to other criminals. They’re operating an end-to-end criminal enterprise, from initial compromise through final sale. Buyers on these illicit marketplaces typically use compromised social media accounts for fraud, impersonation, spam distribution, or credential stuffing attacks against other services.
• 30,000 Facebook accounts compromised through Google AppSheet phishing
• Vietnamese threat actors operating end-to-end criminal marketplace
• Low-code platforms exploited for trusted domain phishing at scale
Why Are Legitimate Cloud Platforms Vulnerable to Abuse?
What makes this incident particularly concerning is the use of a legitimate, Google-owned platform as the attack vector. AppSheet is trusted by enterprises and developers worldwide. Users and organizations have no reason to distrust emails or communications that appear to originate from Google infrastructure. This trust asymmetry is what made the phishing campaign effective at scale.
The incident also highlights a persistent gap in cloud platform security: while Google maintains robust defenses against direct attacks on its own services, third-party applications built on its infrastructure can become conduits for abuse. Research on low-code platforms shows that their accessibility features can create monitoring blind spots for malicious use.
What Happens to Your Compromised Facebook Account?
Facebook users affected by this campaign face immediate risks. Compromised accounts can be used to impersonate the victim, send spam or phishing messages to their contacts, access private messages and photos, or serve as entry points for credential stuffing attacks on other services where the victim may have reused passwords. The accounts being sold on dark web marketplaces means the compromise is not contained to Facebook alone.
For users, the immediate concern is whether their account was among the 30,000 compromised. There is no public list of affected accounts released by either Google or Facebook. However, if you received a suspicious phishing email claiming to be from Google AppSheet or requesting Facebook credentials, your account may have been targeted. If you clicked a link or entered credentials, you should assume your Facebook account has been compromised.
• Change your Facebook password immediately using a secure device
• Enable two-factor authentication if not already active
• Review login history and active sessions for unauthorized access
How Should You Protect Your Account After This Breach?
The recommended response is straightforward: change your Facebook password immediately using a secure device. Use a strong, unique password that you don’t use on other sites. Enable two-factor authentication on your Facebook account if you haven’t already. Check your account’s login history and active sessions—Facebook allows you to review where and when your account has been accessed and to remotely log out sessions you don’t recognize.
Review your account settings for any unauthorized changes to email address, phone number, or recovery options. If you use the same password on other accounts, change those as well. Consider checking haveibeenpwned.com to see if your email address appears in other known breaches. This incident joins major data breaches that demonstrate how phishing campaigns continue to succeed at scale, even when they exploit the infrastructure of trusted companies.
Google has not yet released a public statement about the AccountDumpling campaign or whether it has taken action to restrict AppSheet’s use as a phishing relay. The incident underscores the tension between platform accessibility and security—the same features that make AppSheet useful for legitimate developers can be exploited by attackers operating at scale.
