30000 Facebook Accounts Hacked in AppSheet Phishing Attack

Incident Summary

The cybersecurity world has been shaken by a new and complex phishing attack affecting tens of thousands of Facebook users. According to a report that emerged on May 1, 2026, cybercriminals managed to seize control of approximately 30,000 Facebook accounts by leveraging Google's legitimate application development platform, AppSheet. This attack once again highlights how creative and audacious attackers can be in abusing user trust. At the core of the attack lies a social engineering tactic designed to persuade users to willingly hand over their Facebook login credentials.

The attackers created seemingly harmless and engaging applications on Google AppSheet. Lured with promises like "Who visited your profile?" or "Discover your secret admirers on Facebook," these apps targeted users' curiosity. When victims attempted to access these fake applications, they were prompted to log in with their Facebook accounts to receive the promised personalized data. However, the login screen they encountered was a fraudulent page, a pixel-perfect replica of Facebook's official interface. When users entered their username and password on this screen, this sensitive information was sent directly to servers controlled by the attackers. This method is known as "credential harvesting" and is one of the most common types of cyberattacks.

What makes this incident particularly alarming is that the attack utilized the infrastructure of a trusted brand like Google. Users are naturally less suspicious when they see an application hosted on a Google-owned domain. This factor significantly increased the attackers' success rate. The attack is considered a critical case, demonstrating both the fragility of individual digital security and how the infrastructure of major technology platforms can be abused for malicious purposes.

Scope and Nature of the Leaked Data

A compromised Facebook account represents far more than just a social media profile. By gaining full access to 30,000 user accounts, the attackers obtained a vast range of data. This data includes basic personal information such as users' full names, email addresses, phone numbers, dates of birth, and cities of residence. Even on its own, this information can be used for identity theft or other fraudulent activities.

Even more concerning is that the attackers also gained access to private messages (Messenger conversations), photos, videos, friend lists, and past activities. Private conversations can be used to blackmail victims or to target their friends and family with further social engineering attacks. Furthermore, many users use their Facebook account to log in to other online services (like Spotify, Instagram, and various e-commerce sites). This means that attackers could potentially take over victims' accounts on other platforms by using the "Log in with Facebook" feature. This cascading effect illustrates how devastating the theft of a single password can be.

The Technical Anatomy of the Attack

The technical foundation of this attack is based on a simple yet highly effective principle. The attackers first chose Google AppSheet, a no-code application development platform, as their tool. AppSheet allows businesses and individuals to quickly create mobile and web applications. The attackers used the legitimacy of this platform as a shield to develop their fraudulent apps.

The attack process involved the following steps:

• Application Development: The attackers created multiple applications on AppSheet that offered enticing promises (e.g., profile analysis). These apps were designed to have a professional appearance.
• Distribution: Links to these malicious applications were spread to a wide audience through social media ads, phishing emails, and private messages. The messages were often crafted with language that created a sense of urgency or curiosity.
• Credential Harvesting (Phishing): When a user clicked the link, they were redirected to the AppSheet application running on a Google-owned domain. The app requested that they log in with Facebook to use its features. The login page displayed at this point was identical to Facebook's original page, except for the URL.
• Data Collection: When victims entered their username and password into this fake form, the information was sent in plain text to the attackers' server. The attackers then used this information to log into the accounts and take control.

The success of this method relies on manipulating human psychology and the perception of trust. Many users assume that content is safe when they see a familiar domain like "google.com" in the browser's address bar. The attackers exploited this exact assumption.

Who Are the Affected Users?

The attack did not target a specific demographic group or geographical region. By its nature, any active Facebook user who is less aware of social engineering traps was a potential target. Users who are particularly curious about applications like "who viewed my profile," have lower levels of digital literacy, or lack sufficient knowledge about cybersecurity measures were more likely to fall for this trap.

However, it would be misleading to think that such attacks only affect inexperienced users. The professional-looking interfaces and the tactic of abusing legitimate platforms can catch even cautious users off-guard in a moment of distraction. Therefore, the 30,000 affected individuals are thought to represent a broad cross-section of society. This incident underscores that cybersecurity is not just a technical issue but also a behavioral practice that requires constant vigilance and awareness.

What Should You Do?

If you suspect your account may have been affected by this attack, or if you want to protect yourself from similar attacks in the future, there are several immediate steps you should take:

• Change Your Password Immediately: The first and most crucial step is to change your Facebook password right away. Ensure your new password is strong (containing a mix of uppercase/lowercase letters, numbers, and symbols) and that you are not using it on any other platform.
• Enable Two-Factor Authentication (2FA): 2FA adds an extra layer of security to your account. When this feature is enabled, you will need to enter a code sent to your phone in addition to your password when logging in from a new device. This helps protect your account even if your password is stolen.
• Check Your Account Activity: From Facebook's "Settings > Security and Login" section, review the locations and devices where your account is logged in. If you see an unrecognized device or location, end that session using the "Log Out" option.
• Review App Permissions: Check the "Apps and Websites" section in the settings menu to review the applications you have granted access to your account. Remove access for any suspicious or unused apps.
• Be Cautious of Phishing Attempts: Always be skeptical of messages and emails that offer tempting deals, ask for your personal information, or create a sense of urgency. Verify the sender's identity before clicking on any links.

Official Company Statements

Following the incident, both Meta (Facebook's parent company) and Google released statements. A Meta spokesperson stated that they were aware of the situation, were working to secure the affected accounts, and were sending notifications to users urging them to change their passwords and enable two-factor authentication. The spokesperson also emphasized that they are constantly improving their systems to combat such phishing attacks and fight malicious actors. The statement from Google confirmed that the abuse of the AppSheet platform had been identified, the related malicious applications were promptly removed, and security protocols were being reviewed to prevent similar incidents in the future.

Kaynak

https://thehackernews.com/2026/05/30000-facebook-accounts-hacked-via.html