Breaking
Adobe Patches Actively Exploited Acrobat Reader Flaw CVE-2026-34621 Hackers Hide Credit Card Stealer in Pixel-Sized SVG Images Targeting Magento Stores Microsoft Suspends Developer Accounts for High-Profile Open Source Projects European Commission Confirms Data Breach Linked to Trivy Supply Chain Attack Ransomware Attacks Surge in 2026: Healthcare and Finance Most Targeted Google Chrome Zero-Day Vulnerability Actively Exploited – Update Immediately Adobe Patches Actively Exploited Acrobat Reader Flaw CVE-2026-34621 Hackers Hide Credit Card Stealer in Pixel-Sized SVG Images Targeting Magento Stores Microsoft Suspends Developer Accounts for High-Profile Open Source Projects European Commission Confirms Data Breach Linked to Trivy Supply Chain Attack Ransomware Attacks Surge in 2026: Healthcare and Finance Most Targeted Google Chrome Zero-Day Vulnerability Actively Exploited – Update Immediately
Latest Threat Intel Zero-Days Data Breaches Analysis
Live threat feed May 19, 2026 | 11:58 UTC
4110 CVEs This Month
6 Actively Exploited
2 Ransomware Activity
18 Breaches YTD
Threat Investigation Portal
Investigate an IOC in the live graph workspace.
Investigate IOC
Threat Intelligence

Vietnamese-Linked Campaign Exploits Google AppSheet in Facebook Account Phishing Attack

Thirumala Rao Padilam Thirumala Rao Padilam May 1, 2026
Vietnamese-Linked Campaign Exploits Google AppSheet in Facebook Account Phishing Attack

Security researchers have identified a Vietnamese-linked threat operation leveraging Google AppSheet as a phishing relay to distribute emails targeting Facebook users. The campaign, named AccountDumpling by Guardio, has resulted in approximately 30,000 Facebook accounts being compromised, with the stolen credentials subsequently sold through an illicit marketplace managed by the attackers.

What happened

Guardio researchers uncovered a phishing campaign linked to threat actors in Vietnam that utilizes Google AppSheet as a platform to relay phishing emails. This method enables the distribution of phishing messages designed to trick Facebook users into revealing their login credentials. The compromised accounts are then collected by the group and sold through an illicit storefront operated by the same actors.

The campaign, dubbed AccountDumpling, reportedly resulted in roughly 30,000 Facebook accounts being compromised. Google AppSheet—a no-code application development service—was exploited by the attackers to facilitate phishing distribution, leveraging a reputable platform possibly to evade traditional email filters and increase recipient trust.

Why it matters

This campaign highlights the growing trend of threat actors exploiting legitimate cloud services to conduct phishing attacks, complicating detection and prevention efforts. By using Google AppSheet as a phishing relay, the attackers take advantage of a trusted platform to bypass security controls and deliver malicious content, thereby increasing the effectiveness of their campaign.

The targeting of Facebook accounts is significant due to the widespread use of the platform and the potential for compromised accounts to be used for further malicious activity or sold for profit. The illicit sale of these credentials underscores the ongoing monetization of compromised digital identities and the importance of vigilance for both users and defenders.

What security teams should do

Security teams should review email filtering policies and enhance detection capabilities for phishing campaigns that may abuse cloud-based platforms like Google AppSheet. Monitoring for unusual login activity on Facebook accounts and enforcing multi-factor authentication can reduce the impact of credential compromise.

Users and administrators should educate end users about the risks of phishing emails, especially those that appear to come from trusted or legitimate services. Additionally, security teams may consider blocking or closely scrutinizing emails originating from cloud application relays that are not part of established enterprise workflows.

Key technical details

The attackers employed Google AppSheet to relay phishing emails, a technique that leverages the platform’s legitimate infrastructure to distribute malicious messages. This method potentially helps circumvent traditional email security filters that trust emails sent via reputable cloud services.

The phishing emails were crafted to target Facebook users, aiming to capture their login credentials. Once harvested, the compromised accounts were aggregated and sold through a threat actor-operated dark web storefront. The campaign was named AccountDumpling by Guardio during their investigation.

Affected organizations/products

Approximately 30,000 Facebook accounts have been compromised as part of this campaign. The affected platform is Facebook, targeted via phishing emails relayed through Google AppSheet by a Vietnamese-linked threat actor group.

Source attribution

https://thehackernews.com/2026/05/30000-facebook-accounts-hacked-via.html

Thirumala Rao Padilam
Written by
Thirumala Rao Padilam
error: Content is protected !!