TL;DR
A sophisticated phishing campaign exploiting Google AppSheet lures compromised over 30,000 Facebook accounts in April 2026, with attackers using fake Meta-branded security alerts to harvest credentials and session tokens. The stolen accounts are now being resold on underground forums, marking one of the largest single-campaign Facebook account thefts in recent years.
What Happened
30,000 Facebook accounts were compromised in a coordinated phishing operation that weaponized Google AppSheet — a legitimate no-code development platform — to distribute convincing Meta-branded security alerts. The campaign, detected and analyzed by threat intelligence firm HiveMind Cyber on April 28, 2026, used AppSheet's native email notification system to bypass traditional email security filters, delivering phishing pages that captured both login credentials and session cookies.
Key Facts
- 30,000 Facebook accounts were compromised between April 15 and April 28, 2026, with the campaign accelerating in its final week.
- Attackers used Google AppSheet as a delivery mechanism, exploiting its legitimate email notification feature to send Meta-branded "Security Alert" messages.
- The phishing emails directed victims to fake Meta login pages hosted on AppSheet subdomains, which captured credentials and session tokens.
- Stolen accounts were resold on Telegram channels and dark web marketplaces for $15 to $50 per account, depending on follower count and account age.
- HiveMind Cyber identified the campaign on April 28 after detecting a spike in AppSheet-generated emails flagged as suspicious by enterprise security teams.
- Meta's security team was notified on April 29 and began revoking session tokens for affected accounts, though approximately 8,000 accounts remain compromised as of May 1.
- The phishing infrastructure leveraged over 200 unique AppSheet app URLs, making takedown efforts more complex than single-domain campaigns.
Breaking It Down
The AppSheet phishing campaign represents a dangerous evolution in attack methodology. By co-opting a legitimate Google service, the attackers exploited the trust asymmetry inherent in modern enterprise tools — AppSheet's email notifications are whitelisted by most email security gateways because the platform is widely used by businesses. This allowed the phishing messages to land directly in victims' primary inboxes rather than spam folders.
97% of the phishing emails were delivered to recipients' main inboxes, according to HiveMind Cyber's analysis of affected organizations.
The campaign's technical sophistication lay in its use of AppSheet's OAuth integration. When victims clicked the "Secure Your Account" button in the phishing email, they were redirected to a fake Meta login page that looked identical to Facebook's legitimate authentication flow. However, the page was actually an AppSheet-hosted web app that proxied the login request through a Man-in-the-Middle (MitM) framework, capturing both the password and the session cookie in real time. This dual capture meant that even users with two-factor authentication enabled were compromised, as the session token remained valid after the 2FA challenge.
The attackers also implemented geographic targeting to avoid detection. Analysis of the compromised accounts shows that 63% were from the United States, 22% from the United Kingdom, and the remainder scattered across Canada, Australia, and Western Europe. This geographic concentration suggests the attackers specifically targeted high-value English-speaking accounts, likely for resale to spammers and disinformation actors.
What Comes Next
The immediate priority is account recovery, but the campaign's long-tail effects will persist. Meta's session token revocation has protected approximately 22,000 accounts, but the remaining 8,000 compromised accounts — where attackers changed passwords and recovery emails before Meta acted — present a more complex challenge.
- May 5, 2026: Meta is expected to release a detailed security advisory with specific AppSheet URLs used in the campaign, enabling organizations to block these domains proactively.
- May 10–15, 2026: Expect copycat campaigns using other legitimate platforms — Microsoft Power Automate and Zapier are likely candidates, as both offer similar email notification features.
- Ongoing: The stolen accounts will fuel a surge in Facebook Marketplace scams and political disinformation campaigns over the next 30–60 days, as buyers operationalize their purchases.
- Q3 2026: Google may introduce stricter AppSheet email notification controls, including mandatory domain verification for all apps sending bulk emails, in response to this incident.
The Bigger Picture
This campaign highlights two converging trends: Platform Abuse and Credential Theft-as-a-Service. The use of legitimate platforms like AppSheet for phishing is not new, but the scale — 30,000 accounts in two weeks — demonstrates how attackers are industrializing this technique. Meanwhile, the resale of compromised accounts on Telegram channels represents a maturation of the underground economy, where stolen digital identities are treated as commodities with clear pricing tiers.
The second trend is Trust Collapse in Security Notifications. As users are increasingly bombarded with security alerts from dozens of services, the reflexive "click first, verify later" behavior becomes a vulnerability. This campaign specifically targeted that reflex by using Meta's own security alert language — a tactic that will likely be copied by threat actors targeting other platforms like LinkedIn, Twitter/X, and TikTok in the coming months.
Key Takeaways
- [Scale of Compromise]: 30,000 Facebook accounts were stolen in a single two-week campaign using Google AppSheet as a delivery mechanism, making it one of the largest phishing operations targeting Meta platforms in 2026.
- [Technical Method]: Attackers exploited AppSheet's legitimate email notification system and OAuth integration to bypass email security filters and capture both credentials and session tokens, defeating 2FA protections.
- [Ongoing Risk]: Approximately 8,000 accounts remain under attacker control as of May 1, with stolen credentials being actively resold on Telegram and dark web forums for $15–$50 per account.
- [Broader Implications]: Expect copycat campaigns using other no-code platforms (Power Automate, Zapier) within weeks, as threat actors replicate this technique at scale.
