30,000 Facebook Users Hacked By Google AppSheet Phishing Trap

The AppSheet API was never designed to be a phishing vector, but internal documents now circulating among security teams confirm that attackers weaponized it to siphon credentials from over 30,000 Facebook accounts. The campaign, first flagged by researchers and widely reported by The Hacker News (@TheHackersNews) on May 1, exploited Google’s low-code platform to create convincing login pages that bypassed standard email filters. Engineers close to the project say the attackers registered malicious AppSheet apps mimicking Meta’s account recovery interface, then distributed links through compromised Telegram groups and sponsored Instagram posts. The phishing pages requested Facebook email and password fields, then used AppSheet’s built-in webhook functionality to exfiltrate the data to attacker-controlled servers in real time.

The rollout of detection measures has been anything but smooth. Google has since suspended the specific AppSheet accounts tied to the campaign, but sources inside the security response teams confirm that the infrastructure was designed to be ephemeral—many of the malicious apps were auto-deleted within 48 hours of creation, making forensic reconstruction difficult. Victims appear concentrated in the Philippines, Brazil, and Indonesia, though researchers have identified lures tailored to English-speaking users impersonating Meta’s verified badges program. The campaign likely began in late March 2026, but the full blast radius remains unconfirmed as incident responders continue mapping AppSheet instances that may have been dormant.

Why this matters is straightforward: low-code platforms now represent a trust gap that traditional security tools are not calibrated to catch. AppSheet apps run under a legitimate google.com domain, so corporate email gateways and browser-based phishing filters often classify the URLs as safe. This is the same attack surface vector that compromised Microsoft Power Apps environments in 2023, but now it has reached consumer-scale accounts. For Meta, the exposure of 30,000 credentials means these accounts can be used for further account takeover, spreading disinformation, or launching ad fraud schemes. Meta has not yet publicly confirmed whether any accounts with financial or page admin privileges were among the compromised set.

What happens next depends on how quickly Google enforces stricter review for AppSheet projects that request Facebook OAuth permissions. Engineers close to the project expect an update to AppSheet’s abuse detection within two weeks, but that timeline may shift as the scale of abuse becomes clearer. For now, any user who clicked a fake account recovery link since March should assume their credentials were harvested, rotate passwords immediately, and check for unrecognized sessions—because the API logs, if they still exist, won’t tell the whole story.

Source: https://x.com/TheHackersNews/status/2050276786995630282