Thousands of Facebook accounts stolen by phishing emails sent through Google
The post Thousands of Facebook accounts stolen by phishing emails sent through Google appeared first on Malwarebytes.
AI for Security Infrastructure: Rebalancing Cybersecurity for the Decade Ahead
The post Thousands of Facebook accounts stolen by phishing emails sent through Google appeared first on Malwarebytes.
Researchers have uncovered a long-running phishing operation that abuses trusted Google services to hijack tens of thousands of Facebook accounts.
The compromised Facebook accounts are mainly business and advertiser profiles, which criminals can monetize after gaining access and control.
The attackers found a way to send phishing emails that come “through Google,” making them look legitimate at first glance. The emails are sent via Google’s AppSheet platform, so they pass the usual technical checks (SPF, DKIM, DMARC), and many email filters treat them as trusted.
Google AppSheet is a development platform that lets people build mobile and web apps without writing code. It can automate workflows and notifications, typically used to send app-driven alerts and internal updates.
And that’s where the phishers abused it. The sender name can be customized, and the sending address may look something like [email protected], delivered through appsheet.bounces.google.com. To the average user, it looks like a perfectly normal notification, in these cases often about Facebook policy violations, copyright complaints, or verification issues.
Researchers linked these emails to a Vietnamese‑linked operation that has already compromised around 30,000 Facebook accounts and is still active.
The stolen accounts are mostly pages and business profiles that have financial value: advertising accounts, brand pages, and companies that rely on Facebook for marketing. Once inside, attackers run scams, place fraudulent ads, or sell access to others. In some cases, the same group offers “account recovery” services to fix the problems they created.
Scam or legit? Scam Guard knows.
No matter the lure, the goal is the same: Facebook credentials, 2FA codes, and recovery data. The phishing sites are just the entry point. Behind them is a fairly industrial infrastructure built around Telegram bots and channels to collect and process stolen data.
How to stay safe
This campaign is not “just another phishing mail.” It is one more example of how attackers exploit the trust we place in major platforms.
Facebook does not send complaints, verification requests, security checks, job offers, and other urgent messages through Google infrastructure.
Any email that claims your Facebook or Instagram account is about to be disabled, locked, or punished deserves extra scrutiny, especially if it demands action within 24 hours.
If you get a worrying message about your account, go directly to facebook.com or the Facebook app. Don’t click links in the message.
If a form asks for password, multiple 2FA codes, date of birthm phone number, and ID photos in one go, then stop. That’s the “full recovery pack” these attackers need to take over your account.
Set up 2FA for Facebook and set up login alerts for new devices and locations.
Be cautious with unusual messages from Facebook accounts. The account itself may be compromised.
Pro tip: Malwarebytes Scam Guard can help you spot phishing emails and messages on any platform. You can even use it in Claude and ChatGPT.
Someone’s watching your accounts. Make sure it’s us.
*** This is a Security Bloggers Network syndicated blog from Malwarebytes authored by Malwarebytes. Read the original post at: https://www.malwarebytes.com/blog/news/2026/05/thousands-of-facebook-accounts-stolen-by-phishing-emails-sent-through-google
About Author
![Defining AI-First Engineers and AI-Native Engineers: The New Talent Blueprint [Hiring in the AI Era (Part 2)]](https://securityboulevard.com/wp-content/uploads/2018/01/TwitterLogo-002.jpg)
