Phishing Relay via Google AppSheet Compromises 30,000 Facebook Accounts
What Happened — A Vietnamese‑linked threat group leveraged Google AppSheet as a phishing relay, sending malicious emails that harvested credentials for roughly 30,000 Facebook accounts. The stolen accounts were subsequently sold on an underground marketplace.
Why It Matters for TPRM —
- Credential‑theft campaigns can expose your organization’s employees to account takeover, leading to brand abuse and data leakage.
- The use of legitimate SaaS (Google AppSheet) as a relay complicates detection and highlights supply‑chain risk in cloud‑based productivity tools.
- Compromised social media accounts can be weaponized for Business Email Compromise (BEC) or social engineering against partners.
Who Is Affected — Social media platforms (Facebook), their users, and any third‑party services that integrate with compromised accounts (e.g., marketing SaaS, CRM).
Recommended Actions —
- Review any third‑party integrations that rely on Facebook credentials and enforce MFA.
- Validate that your employees are educated on phishing tactics that use legitimate SaaS as relays.
- Monitor for anomalous login activity on social media accounts linked to corporate identities.
Technical Notes — Attack vector: Phishing via Google AppSheet “relay” app; no known CVE. Data types exfiltrated: usernames, passwords, and session tokens for Facebook accounts. Source: The Hacker News