Facebook Accounts Hacked via Google AppSheet Phishing

30,000 Facebook Accounts Compromised in AppSheet Phishing Attack

A phishing campaign has compromised roughly 30,000 Facebook accounts by abusing Google AppSheet, a legitimate no-code app platform. Attackers used AppSheet's trusted infrastructure to host and deliver phishing pages, effectively laundering malicious links through Google's own domain reputation. The Facebook phishing angle is the hook, but the deeper problem here is how attackers are increasingly weaponizing legitimate SaaS platforms to bypass email and browser security filters.

The attack is straightforward to execute and hard to detect at the network level. Because the phishing pages are hosted on appsheet.com, a domain owned by Google, standard domain reputation checks pass without issue. Users receive what looks like a legitimate Facebook security alert, click through to an AppSheet-hosted form, and enter their credentials directly into an attacker-controlled data sink. The entire flow stays on trusted infrastructure from the victim's perspective.

How the Google AppSheet Abuse Actually Works

AppSheet allows anyone with a Google account to build forms and apps that write data to Google Sheets or other backends. Attackers create a convincing Facebook login replica inside an AppSheet app, configure it to write submitted credentials to a private spreadsheet, and then distribute the link. No custom hosting, no suspicious domain registration, no SSL certificate to fake. Google handles all of that automatically.

This technique is part of a broader pattern called "living off trusted sites" (LOTS). Attackers use Cloudflare Pages, Google Forms, Microsoft SharePoint, and similar platforms for the same reason: the domains are globally trusted, indexed by security vendors as safe, and nearly impossible to block without disrupting legitimate workflows.

What's Actually at Risk for Developers and App Teams

If your users authenticate with Facebook Login (OAuth), a compromised Facebook account can cascade into your application. An attacker who owns the Facebook account can immediately use it to authenticate into any service where that account is linked.

Beyond OAuth risk, development teams often use shared Facebook Business Manager accounts or Meta developer credentials tied to personal profiles. A compromised personal Facebook account can expose app secrets, ad accounts, and pixel data if permissions are not scoped tightly.

The credential harvesting in this campaign also feeds into credential-stuffing attacks. Password reuse remains widespread, so stolen Facebook credentials often unlock unrelated accounts across banking, email, and SaaS tools.

How to Reduce Exposure Right Now

Start with your own applications. If you accept Facebook OAuth logins, enforce short token expiry windows and prompt re-authentication for sensitive actions. Review your application's exposed endpoints with an automated scan to catch any authentication gaps that would make a token-based attack easier.

For your users, phishing-resistant MFA is the practical fix. Hardware keys or passkeys stop credential phishing cold because there is no password to steal. TOTP apps are better than nothing but still vulnerable to real-time phishing proxies.

On the detection side, monitor for login anomalies tied to OAuth tokens. A Facebook login from an unusual geography or device immediately after a credential alert is a strong signal of account takeover.

Block or alert on AppSheet and similar no-code platform domains in outbound email links if your organization controls email filtering. It is a blunt instrument, but it reduces exposure to this specific class of attack.

You can also cross-reference your organization's exposed emails against breach databases regularly. Early warning gives time to force password resets before accounts are actively abused. Read more about proactive exposure monitoring in our guide to credential leak detection.

Why is Google AppSheet being used for phishing instead of a fake domain? AppSheet is hosted on Google infrastructure, so its domains pass reputation checks automatically. Attackers get trusted HTTPS and a globally recognized parent domain without any setup cost.

Can standard email filters catch AppSheet phishing links? Usually not. Because appsheet.com is a legitimate Google domain, most filters will allow it through. Detection requires heuristic analysis of the link content or user behavior after clicking.

If my app uses Facebook OAuth, am I directly at risk from this campaign? Your app itself is not directly attacked, but any user whose Facebook account is compromised can immediately use that account to log into your app. Enforce step-up authentication and monitor for anomalous OAuth sessions.

Run a free scan on your application to find authentication and session vulnerabilities before attackers do: VibeWShield Vulnerability Scanner