Attackers turned a productivity platform into a credential-stealing operation
Thirty thousand people discovered, in the span of a single campaign, that trust itself can be weaponized. Attackers repurposed Google AppSheet — a legitimate no-code platform — as a vehicle for fraudulent Facebook login pages, harvesting credentials from users who had every reason to believe they were on familiar ground. The breach is less a story about technical failure than about the enduring human vulnerability to borrowed legitimacy: when trusted names are used as cover, even the cautious can be deceived. It is a reminder that security, like trust, is not a destination but a continuous practice.
- Thirty thousand Facebook accounts were quietly seized through a phishing operation that required no hacking of Facebook's servers — only the willingness of users to type their passwords into a convincing fake.
- Google AppSheet, a tool built to democratize app creation, was turned against the very users its ecosystem was designed to serve, exposing a blind spot in how no-code platforms police their own infrastructure.
- The scale — tens of thousands of victims — signals a campaign that was both broadly distributed and surgically convincing, suggesting attackers who understood their audience and knew exactly how to reach them.
- Each compromised account now carries downstream risk: password reuse means a stolen Facebook credential can become a key to email inboxes, bank portals, and beyond.
- Google and Meta are almost certainly working to close the gap, but the harder question — how quickly platforms can detect and dismantle phishing infrastructure built on their own tools — remains unanswered.
- The clearest immediate defense remains two-factor authentication, a lock that would have held even when the password was freely given away.
Thirty thousand Facebook users found their accounts no longer their own after attackers deployed a phishing campaign through Google AppSheet, a legitimate no-code platform used by businesses and developers worldwide. The method was straightforward: fraudulent login pages designed to mirror Facebook's interface were distributed through AppSheet, and users — seeing the familiar names of two trusted companies — had little reason to hesitate before entering their credentials.
What made the campaign striking was not its technical complexity but its exploitation of legitimacy. The attackers needed no zero-day vulnerability and no access to Facebook's servers. They needed only to borrow the credibility of Google and Facebook long enough to convince tens of thousands of people to hand over their passwords voluntarily. That thirty thousand did so speaks to the sophistication of the social engineering involved.
The consequences for affected users are immediate and layered. Beyond the work of reclaiming compromised accounts, many face broader exposure: password reuse across services means a stolen Facebook credential can open doors to email, banking, and other sensitive platforms. The ripple effects of a single phishing session can extend far beyond the original target.
The incident places pressure on both Google and Meta to examine how their platforms monitor for malicious use and how quickly they can dismantle phishing infrastructure once it appears. AppSheet's ease of use — its defining feature — also makes it an attractive tool for attackers who want to deploy convincing pages without technical expertise. The openness that makes such platforms valuable is the same quality that makes them vulnerable to abuse.
For users, the lesson is familiar but worth repeating: two-factor authentication would have protected accounts even after passwords were surrendered. Vigilance about where credentials are entered, and skepticism toward authentication pages encountered outside expected contexts, remain the most reliable defenses in an environment where trusted names can so easily be turned against the people who trust them.
Thirty thousand Facebook users woke up to find their accounts no longer their own. Attackers had used Google AppSheet, a no-code application platform owned by Google, to orchestrate a phishing campaign that harvested login credentials at scale. The mechanics were straightforward but effective: fraudulent authentication pages designed to mimic Facebook's login interface were deployed through AppSheet, tricking users into surrendering their usernames and passwords.
The campaign represents a notable exploitation of trust. Google AppSheet is a legitimate tool used by businesses and developers to build applications without writing code. By weaponizing it as a delivery mechanism for phishing pages, attackers turned a productivity platform into a credential-stealing operation. Users who encountered the fake login pages likely had little reason to suspect they were being targeted—the attack leveraged the legitimacy of both Google and Facebook's names to lower their guard.
What made this campaign particularly effective was its scale and the sophistication of the social engineering involved. Thirty thousand compromised accounts did not happen by accident. The attackers clearly understood how to reach Facebook users, how to craft convincing fake login pages, and how to distribute them widely enough to net tens of thousands of victims. Each of those thirty thousand people now faced the prospect of unauthorized access to their accounts, exposure of personal data, and the potential for identity theft or further exploitation.
The breach exposes a vulnerability in how users interact with authentication across platforms. Even security-conscious individuals can be caught off guard when a trusted company's tools are repurposed for malicious ends. The attackers did not need to break into Facebook's servers or exploit a zero-day vulnerability in the platform itself. They simply needed to convince people to hand over their credentials voluntarily.
For the affected users, the immediate consequences are concrete. Anyone whose account was compromised now faces the work of reclaiming it—changing passwords, reviewing account activity, checking for unauthorized changes to profile information or payment methods, and monitoring for signs of identity theft. The ripple effects extend beyond Facebook itself; many people reuse passwords across services, meaning a compromised Facebook credential could potentially unlock access to email accounts, banking portals, or other sensitive platforms.
Google and Meta are almost certainly investigating how AppSheet was exploited and what security gaps allowed the phishing pages to persist. The incident raises questions about how no-code platforms monitor for malicious use, how quickly they can detect and take down phishing infrastructure, and what responsibility platform owners bear when their tools are weaponized. AppSheet's ease of use—its core selling point—also makes it an attractive vector for attackers who want to deploy phishing pages without technical expertise.
The campaign also underscores the enduring power of credential harvesting as an attack method. Despite years of security awareness training and the widespread availability of two-factor authentication, phishing remains devastatingly effective. Thirty thousand accounts is not a small number. It suggests that either the phishing pages were extremely convincing, the distribution was extremely broad, or both. The attackers clearly understood their target audience and how to reach them.
Moving forward, the incident serves as a reminder that security is not a single lock but a series of them. Users who enable two-factor authentication on their Facebook accounts would have prevented unauthorized access even if their passwords were stolen. Reviewing app permissions and being cautious about where credentials are entered remain essential practices. For platforms like Google and Meta, the challenge is balancing the openness that makes their ecosystems valuable with the vigilance required to prevent abuse.
The Hearth Conversation Another angle on the story
Why did the attackers choose Google AppSheet specifically? Couldn't they have just built their own phishing pages?
They could have, but AppSheet gave them legitimacy. When a phishing page appears to come from Google's infrastructure, users are far less likely to question it. It's borrowed trust—the attacker gets to piggyback on Google's reputation.
So the thirty thousand people who fell for this—were they careless, or was the deception just that good?
Probably both. Phishing works because it exploits the gap between how we think we behave online and how we actually behave. Even careful people get tired, distracted, or caught off guard. The attackers knew this.
What happens to those thirty thousand accounts now? Are they just gone?
Not gone, but compromised. The attackers have access. They could change passwords, steal personal data, impersonate the users, or sell the credentials to other criminals. The real work starts when users try to reclaim their accounts.
Could this have been prevented? Was there a moment where someone should have caught it?
Google probably should have detected the phishing pages faster and removed them. But honestly, the real prevention happens on the user side—two-factor authentication would have stopped this cold. The problem is adoption. Most people still don't use it.
Does this mean Google AppSheet is now unsafe to use?
Not necessarily. It means any platform can be abused if someone is determined enough. The question is how quickly the platform responds when abuse is discovered. That's where the real test lies.