CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Large-scale Facebook account takeover campaign leveraging Google AppSheet and Vietnamese-linked infrastructure

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A Vietnamese-linked cybercriminal operation codenamed AccountDumpling has compromised approximately 30,000 Facebook accounts using a phishing campaign that abuses Google AppSheet as a relay and exfiltration channel. The campaign targets Facebook Business account owners via phishing emails impersonating Meta Support, directing victims to fake web pages hosted on platforms such as Netlify, Vercel, and Google Drive, or through PDF lures hosted on Canva. Account credentials, 2FA codes, government IDs, and browser screenshots were collected and sold via underground channels, with data exfiltrated to attacker-controlled Telegram channels. Victim geography spans the U.S., Italy, Canada, the Philippines, India, Spain, Australia, the U.K., Brazil, and Mexico.

Timeline

  1. 01.05.2026 21:09 1 articles · 18h ago

    AccountDumpling campaign compromises ~30,000 Facebook accounts via Google AppSheet phishing relay

    A Vietnamese-linked operation, codenamed AccountDumpling, has compromised approximately 30,000 Facebook accounts through a phishing campaign that abuses Google AppSheet as a relay for sending emails and exfiltrating stolen data to Telegram channels. Victims were targeted via multiple phishing lures including fake Meta Support appeals, account verification PDFs, and bogus job offers, with data harvested across multiple platforms including Netlify, Vercel, Google Drive, and Canva-hosted assets. Attribution links the operation to a Vietnamese actor via Canva metadata and a Vietnamese digital marketing website (phamtaitan[.]vn), indicating a large-scale, monetized ecosystem around stolen Facebook assets.

    Show sources
    Open in new tab

Information Snippets

  • The campaign abuses Google AppSheet’s [email protected] address to send phishing emails that bypass spam filters, targeting Facebook Business account owners with Meta Support-themed lures.

    First reported: 01.05.2026 21:09
    1 source, 1 article
    Show sources

  • Four main phishing clusters were identified: Netlify-hosted fake Facebook help center pages, Vercel-hosted “Security Check” or “Meta | Privacy Center” pages with a fake CAPTCHA gate, Google Drive-hosted PDFs masquerading as verification instructions, and fake job offers impersonating major tech companies.

    First reported: 01.05.2026 21:09
    1 source, 1 article
    Show sources

  • Credential harvesting includes passwords, 2FA codes, government-issued ID photos, dates of birth, phone numbers, contact details, business information, and browser screenshots, all exfiltrated to Telegram channels.

    First reported: 01.05.2026 21:09
    1 source, 1 article
    Show sources

  • Approximately 30,000 victim records have been collected across the three primary clusters, with victims predominantly located in the U.S., Italy, Canada, the Philippines, India, Spain, Australia, the U.K., Brazil, and Mexico.

    First reported: 01.05.2026 21:09
    1 source, 1 article
    Show sources

  • Attribution points to a Vietnamese threat actor via metadata from Canva-generated PDFs listing author “PHẠM TÀI TÂN” and a Vietnamese website (phamtaitan[.]vn) offering digital marketing services.

    First reported: 01.05.2026 21:09
    1 source, 1 article
    Show sources