Google AppSheet phishing operation compromises 30,000 Facebook accounts
Updated
Updated · CyberInsider · May 1
Google AppSheet phishing operation compromises 30,000 Facebook accounts
6 articles · Updated · CyberInsider · May 1
Guardio Labs said the campaign used authenticated emails from noreply@AppSheet.com and appsheet.bounces.google.com, with about 68% of victims in the United States.
Researchers tracked four attack clusters using Netlify, Vercel, Google Drive, Canva and Telegram to steal credentials, IDs and two-factor codes, often targeting Facebook Business users.
Evidence, including Vietnamese-language artifacts and metadata naming Phạm Tài Tân, suggests a modular criminal ecosystem monetising stolen accounts through resale or paid recovery services.
How are attackers exploiting trusted platforms like Vercel and Telegram to bypass two-factor authentication and steal sensitive business data on a global scale?
With Vietnam's new data protection laws in effect, what penalties or enforcement actions could follow for those behind the AccountDumpling operation?
Could the rapid evolution of cybercrime-as-a-service in Southeast Asia signal a new era of industrialized online fraud targeting global businesses?
How Attackers Exploited Google AppSheet and Cloud Services to Steal 30,000 Facebook Business Accounts
Overview
In early 2026, the AccountDumpling phishing campaign compromised around 30,000 Facebook Business accounts by abusing Google AppSheet to send authentic-looking emails that bypassed email security. Attackers impersonated Meta Support with urgent messages, leading victims to click links directing them to fake Facebook pages hosted on platforms like Netlify, Vercel, and Google Drive. These pages stole sensitive data, including credentials and 2FA codes, which were exfiltrated via Telegram. The stolen accounts were then sold in an underground marketplace, fueling further scams. Additionally, a related April 2026 Vercel breach exposed insecure configurations, highlighting broader cloud platform vulnerabilities exploited by attackers.