Vietnamese-Linked Phishing Operation Hijacks 30,000 Facebook Accounts via Google AppSheet
A newly uncovered cybercriminal operation, dubbed AccountDumpling by Guardio Labs, has exploited Google AppSheet as a phishing relay to compromise approximately 30,000 Facebook accounts. The campaign, attributed to Vietnamese threat actors, targets business account owners with deceptive emails impersonating Meta Support, warning of imminent account deletion unless users submit an appeal.
The attack begins with phishing emails sent from a Google AppSheet address (noreply@appsheet.com), bypassing spam filters by leveraging the platform’s legitimacy. Victims are directed to fake Meta-branded pages hosted on Netlify, Vercel, or disguised as Google Drive PDFs where they are tricked into entering credentials, two-factor authentication (2FA) codes, government ID photos, and other sensitive data. Stolen information is exfiltrated to attacker-controlled Telegram channels, which collectively hold records from victims across the U.S., Italy, Canada, the Philippines, and other countries.
The operation employs multiple lures, including:
- Fake Meta appeals (e.g., account disablement, copyright complaints, or verification reviews).
- Blue badge evaluation scams, using bogus CAPTCHA checks to harvest credentials.
- Google Drive-hosted PDFs (created via Canva) that mimic verification instructions.
- Fake job offers impersonating companies like Meta, WhatsApp, and Adobe to build trust before redirecting victims to malicious sites.
Metadata from the Canva-generated PDFs led researchers to a Vietnamese individual, PHẠM TÀI TÂN, whose website (phamtaitan[.]vn) advertises digital marketing services. Open-source intelligence suggests the operation is part of a broader underground economy where stolen Facebook accounts along with associated ad reputations and recovery access are monetized through illicit storefronts.
The campaign reflects a growing trend of Vietnamese threat actors repurposing trusted platforms (e.g., Google AppSheet, Netlify, Vercel) to scale phishing attacks, highlighting the commodification of compromised social media assets in cybercrime markets.
Source: https://thehackernews.com/2026/05/30000-facebook-accounts-hacked-via.html
Google TPRM report: https://www.rankiteo.com/company/google
Vercel TPRM report: https://www.rankiteo.com/company/vercel
Netlify TPRM report: https://www.rankiteo.com/company/netlify
Canva TPRM report: https://www.rankiteo.com/company/canva
Adobe TPRM report: https://www.rankiteo.com/company/adobe
"id": "canadogoonetver1777660893",
"linkid": "canva, adobe, google, netlify, vercel",
"type": "Cyber Attack",
"date": "5/2026",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"{'affected_entities': [{'customers_affected': '30,000 Facebook account owners '
'(business and personal)',
'industry': 'Technology/Internet',
'location': 'Global',
'name': 'Meta (Facebook)',
'size': 'Large enterprise',
'type': 'Social media platform'},
{'industry': 'Various (global)',
'location': 'U.S., Italy, Canada, Philippines, and '
'other countries',
'name': 'Victims (individuals and businesses)',
'size': 'Unknown',
'type': 'Users'}],
'attack_vector': 'Email (Google AppSheet relay), Fake Meta-branded pages '
'(Netlify, Vercel, Google Drive PDFs)',
'customer_advisories': 'Meta (Facebook) users should be cautious of '
'unsolicited emails or messages claiming to be from '
'Meta Support, especially those requesting '
'credentials, 2FA codes, or government IDs.',
'data_breach': {'data_exfiltration': 'Yes (stolen data sent to '
'attacker-controlled Telegram channels)',
'file_types_exposed': ['PDFs (fake verification '
'instructions)'],
'number_of_records_exposed': '30,000 accounts',
'personally_identifiable_information': 'Yes (government ID '
'photos, account '
'details)',
'sensitivity_of_data': 'High (PII, government IDs, '
'authentication data)',
'type_of_data_compromised': ['Credentials',
'2FA codes',
'Government ID photos',
'Personally identifiable '
'information (PII)']},
'description': 'A cybercriminal operation, dubbed *AccountDumpling* by '
'Guardio Labs, has exploited Google AppSheet as a phishing '
'relay to compromise approximately 30,000 Facebook accounts. '
'The campaign, attributed to Vietnamese threat actors, targets '
'business account owners with deceptive emails impersonating '
'Meta Support, warning of imminent account deletion unless '
'users submit an appeal.',
'impact': {'brand_reputation_impact': 'Potential reputational damage to Meta '
'(Facebook) due to impersonation and '
'account hijacking',
'data_compromised': 'Facebook account credentials, 2FA codes, '
'government ID photos, personally identifiable '
'information (PII)',
'identity_theft_risk': 'High (government ID photos and PII '
'exposed)',
'operational_impact': 'Loss of access to Facebook accounts, '
'potential misuse of accounts for further '
'scams or ad fraud',
'systems_affected': 'Facebook accounts (business and personal)'},
'initial_access_broker': {'data_sold_on_dark_web': 'Yes (stolen accounts '
'monetized through illicit '
'storefronts)',
'entry_point': 'Phishing emails (Google AppSheet '
'relay), fake Meta-branded pages',
'high_value_targets': 'Facebook business account '
'owners'},
'investigation_status': 'Ongoing (research disclosed by Guardio Labs)',
'lessons_learned': 'Threat actors are increasingly repurposing trusted '
'platforms (e.g., Google AppSheet, Netlify, Vercel) to '
'scale phishing attacks. The commodification of stolen '
'social media accounts highlights the need for stronger '
'authentication and monitoring of third-party '
'integrations.',
'motivation': 'Financial gain (monetization of stolen Facebook accounts, ad '
'reputations, and recovery access)',
'post_incident_analysis': {'corrective_actions': ['Meta should enhance '
'detection of phishing '
'campaigns impersonating '
'its brand.',
'Google should implement '
'stricter controls for '
'AppSheet to prevent abuse '
'as a phishing relay.',
'Users should enable '
'hardware-based 2FA and '
'verify the legitimacy of '
'emails/messages before '
'sharing sensitive '
'information.'],
'root_causes': ['Exploitation of trusted platforms '
'(Google AppSheet, Netlify, '
'Vercel) to bypass security '
'filters',
'Social engineering tactics (fake '
'Meta appeals, blue badge scams, '
'job offers)',
'Lack of user awareness about '
'phishing risks and 2FA bypass '
'techniques']},
'recommendations': ['Implement stricter email authentication for platforms '
'like Google AppSheet to prevent abuse.',
'Enhance user education on phishing tactics, especially '
'those impersonating Meta or other trusted brands.',
'Monitor for unusual activity in Facebook accounts, such '
'as unauthorized logins or changes to recovery '
'information.',
'Use hardware-based 2FA (e.g., security keys) instead of '
'SMS or app-based codes where possible.',
'Regularly audit third-party services and integrations '
'for potential misuse.'],
'references': [{'source': 'Guardio Labs'},
{'source': "PHẠM TÀI TÂN's website (phamtaitan[.]vn)",
'url': 'http://phamtaitan[.]vn'}],
'response': {'third_party_assistance': 'Guardio Labs (research and '
'disclosure)'},
'threat_actor': 'Vietnamese threat actors (attributed to *PHẠM TÀI TÂN*)',
'title': 'Vietnamese-Linked Phishing Operation Hijacks 30,000 Facebook '
'Accounts via Google AppSheet',
'type': 'Phishing',
'vulnerability_exploited': 'Lack of email authentication for Google AppSheet, '
'social engineering (credential harvesting, 2FA '
'bypass)'}