[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f67VWape-QB7xMHHn7eZjm0hKo-AfBalh7Y8imz4afLw":3},{"article":4,"iocs":51},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":35,"category":36,"article_tags":40},"cd357b06-1015-4ca9-8dc4-fa1ed9042723","30,000 Facebook Accounts Hacked via Google AppSheet Phishing Campaign","30-000-facebook-accounts-hacked-via-google-appsheet-phishing-campaign-c476d0","A newly discovered Vietnamese-linked operation has been observed using a Google AppSheet as a \"phishing relay\" to distribute phishing emails with an aim to compromise Facebook accounts. The activity has been codenamed AccountDumpling by Guardio, with the scheme selling the stolen accounts back through an illicit storefront run by the threat actors. In all, roughly 30,000 Facebook accounts are","A Vietnamese-linked threat actor operation codenamed AccountDumpling compromised approximately 30,000 Facebook accounts using Google AppSheet as a phishing relay to bypass spam filters. The campaign employed multiple lure tactics (account disablement, copyright complaints, verification reviews) targeting Facebook Business owners, with stolen credentials and 2FA codes exfiltrated via Telegram channels. The operator was identified as Phạm Tài Tân through metadata in Canva-generated PDFs, with victims primarily located in the US, Italy, Canada, the Philippines, India, Spain, Australia, UK, Brazil, and Mexico.","Vietnamese operation AccountDumpling hacked 30,000 Facebook accounts via Google AppSheet phishing relay.","30,000 Facebook Accounts Hacked via Google AppSheet Phishing Campaign Ravie LakshmananMay 01, 2026Malware \u002F Threat Intelligence A newly discovered Vietnamese-linked operation has been observed using a Google AppSheet as a \"phishing relay\" to distribute phishing emails with an aim to compromise Facebook accounts. The activity has been codenamed AccountDumpling by Guardio, with the scheme selling the stolen accounts back through an illicit storefront run by the threat actors. In all, roughly 30,000 Facebook accounts are estimated to have been hacked as part of the campaign. \"What we found wasn't a single phishing kit,\" security researcher Shaked Chen wrote in a report shared with The Hacker News. \"It was a living operation with real-time operator panels, advanced evasion, continuous evolution and a criminal-commercial loop that quietly feeds on the same accounts it helps steal back.\" The findings are just the latest example of how Vietnamese threat actors continue to embrace various tactics to gain unauthorized access to victims' Facebook accounts, which are then sold on underground ecosystems for monetary gain. The starting point of the latest attacks is a phishing email targeting Facebook Business account owners, claiming to be from Meta Support and urging them to submit an appeal, or risk getting their account permanently deleted. The emails are sent from a Google AppSheet address (\"noreply@appsheet.com\"), allowing them to bypass spam filters. This false sense of urgency is used to direct users to a fake web page designed to harvest their credentials. It's worth noting that a similar campaign was reported by KnowBe4 in May 2025. Over the past few weeks, these campaigns have adopted various kinds of lures designed to induce a \"Meta-related panic.\" These range from account disablement and copyright complaints to verification review, executive recruitment, and Facebook login alerts. The four main clusters identified by Guardio are listed below - Netlify-hosted Facebook help center pages that enable account takeover attacks, in addition to collecting dates of birth, phone numbers, and government-issued ID photos. The data is ultimately forwarded to an attacker-controlled Telegram channel. Blue badge evaluation lures that guide victims to Vercel-hosted \"Security Check\" or \"Meta | Privacy Center\" pages that are gated by a bogus CAPTCHA check before directing users to the phishing landing page to collect contact details, business information, credentials (after a forced retry), and two-factor authentication (2FA) codes and exfiltrate them to a Telegram channel. Google Drive-hosted PDFs masquerading as instructions to complete account verification to direct users to collect passwords, 2FA codes, government ID photos, and browser screenshots through html2canvas. The PDF documents are generated using a free Canva account. Fake job offers that impersonate companies like WhatsApp, Meta, Adobe, Pinterest, Apple, and Coca-Cola to build rapport with the recipients and ask them to join a call or continue the discussion on attacker-controlled sites. Cumulatively, the Telegram channels associated with the first three clusters have been found to hold about 30,000 victim records, most of whom are located in the U.S., Italy, Canada, the Philippines, India, Spain, Australia, the U.K., Brazil, and Mexico, and have been locked out of their own accounts. As for who is behind the operation, the smoking gun evidence has come from the PDFs generated as part of the third cluster using the free Canva account, with metadata listing a Vietnamese name \"PHẠM TÀI TÂN\" as the files' author. Further open-source intelligence has led to the discovery of a website (\"phamtaitan[.]vn\"), where they offer digital marketing services. In a post shared on X in February 2023, the website's handle said it \"specializes in providing digital marketing services, marketing resources, and consulting on effective digital marketing strategies.\" \"Taken together, they form a consistent picture of a large, Vietnamese-based, mega operation,\" Chen said. \"This campaign is bigger than a single AppSheet abuse. It's a window into the dark market around stolen Facebook assets, where access, business identity, ad reputation, and even account recovery have all become tradable commodities. Another entry in the pattern we keep surfacing: trusted platforms repurposed as delivery, hosting, and monetization layers.\" Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  cybersecurity, data breach, Digital Fraud, Facebook, identity theft, Malware, Phishing, social engineering, Threat Intelligence ⚡ Top Stories This Week Harvester Deploys Linux GoGra Backdoor in South Asia Using Microsoft Graph API Malicious KICS Docker Images and VS Code Extensions Hit Checkmarx Supply Chain Apple Fixes iOS Flaw That Let FBI Recover Deleted Signal Messages Vercel Finds More Compromised Accounts in Context.ai-Linked Breach ThreatsDay Bulletin: $290M DeFi Hack, macOS LotL Abuse, ProxySmart SIM Farms +25 New Stories Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours of Disclosure FIRESTARTER Backdoor Hit Federal Cisco Firepower Device, Survives Security Patches Researchers Uncover Pre-Stuxnet ‘fast16’ Malware Targeting Engineering Software ⚡ Weekly Recap: Fast16 Malware, XChat Launch, Federal Backdoor, AI Employee Tracking and More Checkmarx Confirms GitHub Repository Data Posted on Dark Web After March 23 Attack Microsoft Confirms Active Exploitation of Windows Shell CVE-2026-32202 Chinese Silk Typhoon Hacker Extradited to U.S. Over COVID Research Cyberattacks Microsoft Patches Entra ID Role Flaw That Enabled Service Principal Takeover Researchers Discover Critical GitHub CVE-2026-3854 RCE Flaw Exploitable via Single Git Push Critical cPanel Authentication Vulnerability Identified — Update Your Server Immediately ⭐ Featured Resources [Webinar] Stop Chasing Alerts and Start Focusing on Real Exposures [Guide] How to Enable Secure Data Movement Without Added Risk Learn How Hidden Identity Blind Spots Weaken Your Security Systems [Guide] Learn a Practical Framework to Evaluate AI Tools for Production","https:\u002F\u002Fthehackernews.com\u002F2026\u002F05\u002F30000-facebook-accounts-hacked-via.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEilUS_xmTpvaJtwhFTnxsBtKSx2hWroMJKWUCKeB_CNx_9-5T85bdpqGfTZ0__XITi-i6ZnndaiiiFggf3Cgf-35KK-G6sEwvnlqom2DK6U-oH_o9GhEGNyd9kiSti-QC_dpl3v7b7IniC9kAUzV265yVbVsWAnLnH1RfQxrftUHj5MFAm03MOBw3Z6UEVb\u002Fs1600\u002Fphish.jpg","2026-05-01T18:09:00+00:00","2026-05-01T20:00:15.188001+00:00",8,[18,21,24,27,29,32],{"name":19,"type":20},"Phạm Tài Tân (AccountDumpling operators)","threat_actor",{"name":22,"type":23},"AccountDumpling","campaign",{"name":25,"type":26},"Google AppSheet","product",{"name":28,"type":26},"Facebook",{"name":30,"type":31},"Telegram","technology",{"name":33,"type":34},"Google","vendor","2e06f76c-d5b9-4f54-9eef-4d3447b10730",{"id":35,"icon":37,"name":38,"slug":39},null,"Breaches","breaches",[41,46],{"category":42},{"id":43,"icon":37,"name":44,"slug":45},"2c8f44d4-b56e-47cf-9677-04f22c9ee78d","Identity & Access","identity-access",{"category":47},{"id":48,"icon":37,"name":49,"slug":50},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[52,56,60],{"type":53,"value":54,"context":55},"domain","phamtaitan.vn","Operator's digital marketing services website linked to campaign mastermind",{"type":57,"value":58,"context":59},"email","noreply@appsheet.com","Spoofed Google AppSheet address used to send phishing emails bypassing spam filters",{"type":61,"value":22,"context":62},"malware","Campaign codename for Vietnamese phishing operation targeting Facebook accounts"]