This paper studies the vulnerability of AC state estimation (SE) with respect to a class of unobservable state-preserving topology attacks, in which the topology data are changed by attacker while the states remain unchanged. An algorithm based on breadth-first search (BFS) is developed to determine the subset of topology data and measurements required to launch successful unobservable state-preserving topology attacks. It is shown that the proposed algorithm can enable an attacker to obtain the localized topology and corresponding measurement data to mount an attack that bypasses bad data detector and successfully changes topology information of the system in the cyber layer.