30,000 Facebook Accounts Hacked via Google AppSheet Phishing — How to Protect Yourself
Breaking: Security researchers at Guardio discovered a Vietnamese-linked operation that compromised roughly 30,000 Facebook accounts using Google AppSheet as a phishing relay. Here's what happened and how to protect yourself.
The Attack: How "AccountDumpling" Worked
Security researchers at Guardio have uncovered a sophisticated phishing operation they've codenamed AccountDumpling. The campaign, linked to Vietnamese threat actors, used an unusual and clever technique: routing phishing emails through Google AppSheet, a legitimate Google service for building no-code apps.
Here's the attack chain:
- Phishing email sent via AppSheet: Because the emails originated from Google's infrastructure (appsheet.com), they bypassed most spam filters and email security tools
- Fake Facebook login page: The email directed victims to a convincing fake Facebook login page that captured usernames and passwords
- Credential harvesting: Stolen credentials were automatically collected and verified
- Account resale: The compromised accounts were sold through an illicit storefront operated by the same threat actors
The result: approximately 30,000 Facebook accounts compromised and sold, primarily targeting business accounts and accounts with advertising access — which are worth significantly more on criminal markets.
Why This Attack Was So Effective
Traditional phishing emails are relatively easy to detect — they come from suspicious domains, have poor formatting, or trigger spam filters. AccountDumpling bypassed these defenses by abusing a trusted platform.
This is part of a broader trend called "living off trusted sites" (LOTS) attacks, where criminals abuse legitimate services to conduct malicious activity. Recent examples include:
- Using Google Docs to host phishing pages
- Sending malware via legitimate file-sharing services
- Using Microsoft Forms for credential harvesting
- Now: using Google AppSheet as a phishing relay
The challenge for defenders: you can't simply block Google's infrastructure without breaking legitimate business tools. This makes LOTS attacks particularly difficult to stop at the network level.
Am I at Risk? How to Check Your Facebook Account
If you received any unexpected emails about Facebook in the past few weeks, or if you clicked a link in an email and entered your Facebook credentials, you may be at risk. Here's how to check:
Step 1: Check Active Sessions
Go to Facebook Settings → Security and Login → Where You're Logged In. Look for any devices or locations you don't recognize. If you see anything suspicious, click "Log Out of All Sessions" immediately.
Step 2: Review Recent Activity
Check your Facebook activity log for posts, messages, or ad campaigns you didn't create. Compromised business accounts are often used to run fraudulent ads.
Step 3: Check Connected Apps
Go to Settings → Apps and Websites. Remove any apps you don't recognize or no longer use.
Step 4: Enable Two-Factor Authentication
If you haven't already, enable 2FA immediately. Go to Settings → Security and Login → Two-Factor Authentication. Use an authenticator app, not SMS.
How a Password Manager Protects You from Phishing
This attack highlights one of the most powerful — and underappreciated — features of password managers: domain-matched autofill.
When you save your Facebook password in a password manager, it's saved for facebook.com. When you visit a phishing page at faceb00k-login.appsheet.com or any other fake domain, your password manager simply won't autofill. It doesn't recognize the domain.
This is a hard technical barrier that phishing attacks cannot easily bypass. Even if you're fooled by a convincing fake page, your password manager won't be.
Here are the best password managers for phishing protection:
1. 1Password — Best Overall with Phishing Alerts
1Password's Watchtower feature actively monitors for compromised passwords and phishing-related threats. Its domain-matched autofill is precise and reliable. The Travel Mode feature lets you hide sensitive vaults when crossing borders.
- ✓ Watchtower breach monitoring
- ✓ Precise domain-matched autofill
- ✓ Travel Mode for border crossings
- ✓ Excellent browser extensions
- ✗ No free tier (14-day trial only)
- ✗ Slightly more expensive than Bitwarden
2. Bitwarden — Best Free Option
Bitwarden is fully open-source — the code is publicly audited. The free tier includes unlimited passwords across unlimited devices, which is exceptional value. Strong phishing protection through domain-matched autofill.
- ✓ Fully open-source and audited
- ✓ Free tier: unlimited passwords, unlimited devices
- ✓ Self-hosting option for maximum control
- ✓ Strong domain-matched autofill
- ✗ Interface less polished than 1Password
- ✗ Breach reports require paid plan ($10/year)
3. Dashlane — Best for Dark Web Monitoring
Dashlane includes real-time dark web monitoring that alerts you if your credentials appear in breach databases. Particularly relevant given the AccountDumpling operation selling stolen accounts. Also includes a built-in VPN.
- ✓ Real-time dark web monitoring
- ✓ Built-in VPN (Hotspot Shield)
- ✓ Password Health score
- ✓ Excellent browser integration
- ✗ More expensive than competitors
- ✗ Free tier limited to 25 passwords
4. NordPass — Best for NordVPN Users
NordPass uses XChaCha20 encryption (more modern than AES-256) and integrates well with NordVPN. Data breach scanner included. Good value if you're already in the Nord ecosystem.
- ✓ XChaCha20 encryption
- ✓ Data breach scanner
- ✓ Bundles well with NordVPN
- ✓ Clean, simple interface
- ✗ Fewer advanced features than 1Password
- ✗ Free tier limited to one device
5. Keeper — Best for Families
Keeper offers strong family plans with up to 5 users and includes BreachWatch dark web monitoring. Zero-knowledge architecture means even Keeper can't see your passwords. Good for families wanting shared password management.
- ✓ BreachWatch dark web monitoring
- ✓ Strong family sharing features
- ✓ Zero-knowledge architecture
- ✓ Secure file storage included
- ✗ BreachWatch costs extra
- ✗ No free tier (30-day trial)
Password Manager Comparison: Phishing Protection
| Password Manager | Domain Autofill | Breach Monitoring | Free Tier | Price/month | Score |
|---|---|---|---|---|---|
| 1Password | ✓ Excellent | ✓ Watchtower | Trial only | $2.99 | 9.5/10 |
| Bitwarden | ✓ Strong | Paid only | ✓ Unlimited | Free/$0.83 | 9.2/10 |
| Dashlane | ✓ Strong | ✓ Real-time | 25 passwords | $4.99 | 9.0/10 |
| Keeper | ✓ Strong | ✓ BreachWatch | Trial only | $2.92 | 8.8/10 |
| NordPass | ✓ Good | ✓ Included | 1 device | $1.49 | 8.7/10 |
5 Steps to Protect Your Social Media Accounts Right Now
- Enable 2FA on all social accounts — Facebook, Instagram, Twitter/X, LinkedIn. Use an authenticator app, not SMS
- Use a password manager — Unique, strong passwords for every account. The autofill protection alone is worth it
- Be suspicious of emails about your accounts — Go directly to the website instead of clicking email links. Type facebook.com in your browser
- Check connected apps regularly — Remove apps you don't use from all social accounts
- Monitor for breaches — Use identity theft protection or check HaveIBeenPwned.com regularly
Frequently Asked Questions
How did hackers use Google AppSheet to steal Facebook accounts?
The attackers used Google AppSheet as a phishing relay. Because AppSheet is a legitimate Google service, emails sent through it bypass many spam filters. The phishing emails directed victims to fake Facebook login pages that captured credentials. The stolen accounts were then sold through an illicit storefront.
How can I tell if my Facebook account was compromised?
Check Facebook's Security and Login settings (Settings > Security and Login > Where You're Logged In). Look for unfamiliar devices or locations. Also check your email for Facebook notifications about logins you don't recognize. If you see anything suspicious, change your password immediately and enable two-factor authentication.
Does a password manager protect against phishing attacks?
Yes, significantly. Password managers autofill credentials only on the exact domain they were saved for. If you're on a fake Facebook page, your password manager won't autofill — a clear warning sign. This is one of the strongest protections against phishing attacks.
What is the best password manager to protect against phishing?
1Password, Bitwarden, and Dashlane all offer strong phishing protection through domain-matched autofill. 1Password's Watchtower feature also alerts you to compromised passwords. Bitwarden is the best free option with open-source code that anyone can audit.
Should I use two-factor authentication on Facebook?
Absolutely. Enable two-factor authentication on Facebook immediately if you haven't already. Use an authenticator app rather than SMS, as SMS can be intercepted via SIM swapping. 2FA means attackers need both your password AND your phone to access your account.
Bottom Line
The AccountDumpling campaign is a reminder that phishing attacks are getting more sophisticated. Attackers are now abusing trusted platforms like Google AppSheet to bypass security filters — and it's working.
The best defense is a combination of a password manager (for domain-matched autofill protection) and two-factor authentication. If you're not using both, start today.
Our top picks: 1Password for most users, Bitwarden if you want free and open-source. Pair either with identity theft protection to monitor for your data in future breaches.