Vietnamese Hackers Hijack 30K Facebook Accounts via Google AppSheet Phishing

A newly uncovered Vietnamese‑linked phishing campaign has compromised roughly 30,000 Facebook accounts by abusing Google’s low‑code AppSheet platform as a covert relay. Researchers at Trend Micro have traced the operation, which they dub “AppSheet Phish,” to a threat actor that leverages the platform’s trusted infrastructure to bypass email security filters and deliver credential‑harvesting messages en masse.

The attack chain begins with socially‑engineered emails that appear to originate from legitimate Facebook notifications. Embedded links point to a Google AppSheet application that dynamically renders a phishing login page. Because the domain is owned by Google, many email gateways treat the traffic as benign, allowing the messages to slip past spam and anti‑phishing checks. The AppSheet backend uses Firebase Realtime Database for storing harvested credentials, while the app’s API is abused to send follow‑up messages to the victim’s contacts, amplifying the spread.

Facebook’s security team, working in tandem with Google’s Trust & Safety team, identified the campaign after observing an anomalous surge in login attempts from the AppSheet endpoint. The firm’s investigation revealed that the compromised accounts were used to exfiltrate personal data, including profile details, friends lists, and, in some cases, private messages. The scale of the breach places it among the larger social‑media credential theft incidents observed this year, underscoring the growing sophistication of threat actors who exploit legitimate cloud services.

Security practitioners are advised to enforce multi‑factor authentication (MFA) on all social‑media accounts, monitor for suspicious OAuth app permissions, and implement URL‑inspection policies that flag redirections through known trusted domains. Additionally, organizations should restrict the use of AppSheet and similar low‑code platforms to approved corporate environments and audit any newly created apps that request access to user data.