30,000 Facebook Accounts Hacked via Google AppSheet Phishing

Around 30,000 Facebook accounts were quietly stolen in a sophisticated phishing campaign that used Google’s own AppSheet platform as a relay to send convincing fake emails. The operation, tracked by security researchers as AccountDumpling, was linked to Vietnamese-speaking hackers who didn’t just steal accounts — they sold them through their own underground online storefront. This wasn’t a random smash-and-grab; it was an organised, automated business built on tricking ordinary people out of their Facebook logins.

What Is Google AppSheet and How Did Hackers Abuse It?

Google AppSheet is a legitimate no-code app-building platform — the kind of tool a small business owner might use to build a simple inventory app or a teacher might use to create a student tracker, without writing a single line of code. It’s a real Google product, which is exactly why hackers found it so useful.

Because AppSheet is a trusted Google service, emails sent through it often pass straight through spam filters without raising any red flags. Security tools that scan incoming emails look at the sender’s reputation — and when that sender is Google, they tend to wave it through. The hackers exploited this trust, using AppSheet as a “phishing relay” to send emails that looked like they came from Facebook or Meta, complete with official-looking branding and urgent language designed to get you to click a link immediately.

As reported by The Hacker News — a trusted cybersecurity outlet followed by over 1.2 million professionals on LinkedIn — the campaign was uncovered by researchers at Guardio, a browser security company. Their team traced the operation back to a coordinated group running what amounts to a full account-theft business.

How the Facebook Phishing Attack Actually Worked

Here’s the step-by-step of how ordinary people got caught out, explained without the tech jargon:

1. You receive an official-looking email — It appears to come from Facebook or Meta, warning you about a policy violation, a copyright issue, or that your account is at risk of being disabled.
2. The email passes spam filters — Because it was routed through Google AppSheet, your email provider sees it as a legitimate Google communication and lets it through.
3. You click the link — The email contains a link to a fake Facebook login page that looks pixel-perfect. The URL might even contain words like “meta” or “facebook” to seem convincing.
4. You enter your login details — The moment you type your email and password, those credentials are captured and sent directly to the hackers.
5. Your account goes up for sale — The stolen account is listed on the group’s own illicit storefront, where buyers can purchase access to real Facebook accounts for scamming, advertising fraud, or impersonation.

This is what makes Facebook accounts hacked phishing campaigns so dangerous — the whole chain is automated and moves faster than most people realise. By the time you notice something is wrong, your account may already have a new owner.

Why Should You Care — Even If You’re Not a Business?

You might think, “I’m just a regular person, why would anyone want my Facebook account?” The answer is: your account has real value to scammers, even if you don’t.

A genuine, aged Facebook account with real friends and activity is worth money on underground markets. Hackers use these accounts to run scam ads (charging the original owner’s payment method), impersonate you to ask your friends for money, spread misinformation, or launder fraudulent activity through what looks like a legitimate profile. Facebook business accounts — used by shop owners, freelancers, and marketers across India, the UAE, Saudi Arabia, the UK, and the USA — are even more valuable because they often have ad budgets attached.

India in particular has one of the largest Facebook user bases in the world, making Indian users a prime target for campaigns like AccountDumpling. In the UAE and Saudi Arabia, where Facebook and Instagram are heavily used for business promotion, a compromised account can result in thousands of dollars in fraudulent ad spend charged to the account owner before they even notice.

This isn’t just a tech problem — it’s a financial and personal safety problem that lands in the real world.

6 Steps You Can Take Right Now to Protect Your Facebook Account

The good news is that protecting yourself from Facebook accounts hacked phishing attacks doesn’t require any technical knowledge. Here’s what you should do today:

1. Turn on two-factor authentication (2FA) on Facebook — Go to Settings > Security and Login > Two-Factor Authentication. Choose an authenticator app (like Google Authenticator or Authy) rather than SMS if possible. Even if hackers get your password, they can’t log in without your second code.
2. Never click links in emails about your Facebook account — Instead, open a new browser tab and type facebook.com directly. Log in from there and check your notifications. Real Facebook alerts will appear inside the app, not just by email.
3. Check your active sessions — In Facebook’s Settings, go to Security and Login and look at “Where You’re Logged In.” If you see a device or location you don’t recognise, click “Log Out” on that session immediately.
4. Use a password manager and a unique password — If your Facebook password is the same as your email, your bank app, or any other account, change it now. A password manager like Bitwarden (free) or 1Password generates and stores strong, unique passwords for every site.
5. Install a browser security extension — Tools like Guardio, Malwarebytes Browser Guard, or Bitdefender TrafficLight flag known phishing pages before you even land on them. These are free or low-cost and work quietly in the background.
6. Report suspicious emails to Facebook — Forward phishing emails to phish@fb.com. This helps Meta’s security team identify and shut down active campaigns faster.

For more practical guidance on securing your accounts, check out our how-to guides — written in plain English, no tech degree required.

What Businesses and Page Owners Should Do Immediately

If you run a Facebook Business Page, manage ads, or use Meta Business Suite for your company, the stakes are higher. Hackers specifically target business accounts because of the ad spend access.

• Audit your Business Manager access — Remove any accounts you don’t recognise from your Business Manager. Go to Business Settings > People and check every email listed.
• Set spending limits on your ad account — This caps how much can be charged even if someone gains access.
• Enable login alerts — Facebook can send you a notification every time someone logs into your account from a new device. Turn this on in Security and Login settings.
• Train your team — If employees manage your page, make sure they know not to click account warning emails without verifying directly through the app first.

The AccountDumpling campaign is a sharp reminder that even trusted platforms like Google can be weaponised against you. Staying alert to Facebook accounts hacked phishing scams is now part of basic digital hygiene — for individuals and businesses alike.

Bottom Line

Hackers are getting smarter — routing phishing emails through trusted Google services so they land in your inbox looking completely legitimate. Turning on two-factor authentication and never clicking account-warning links in emails are the two simplest things you can do right now to keep your Facebook account safe. Don’t wait until it’s your account being sold online.