Executive Summary
A large-scale phishing campaign, codenamed AccountDumpling, has resulted in the compromise of approximately 30,000 Facebook accounts worldwide. The operation, attributed to Vietnamese threat actors, leveraged Google AppSheet, a legitimate no-code workflow platform—to distribute phishing emails that bypassed standard email security controls. These emails, appearing to originate from Meta Support, targeted Facebook Business account owners and page administrators with urgent messages about account disablement or policy violations. Victims were redirected to convincingly crafted phishing sites hosted on trusted platforms such as Netlify, Vercel, and Google Drive, where their credentials, two-factor authentication (2FA) codes, and sensitive personal information were harvested. The stolen data was exfiltrated via Telegram bots and monetized through illicit storefronts and dark web markets. The campaign demonstrates advanced evasion techniques, real-time operator control, and a persistent criminal-commercial loop. The impact includes account lockouts, business disruptions, financial loss, and the further circulation of stolen personally identifiable information (PII). The evidence supporting these findings is drawn from technical reports by Guardio Labs, KnowBe4 Threat Lab, and sector analysis by The Hacker News, with all major claims corroborated by primary sources and direct technical artifacts.
Technical Information
The AccountDumpling campaign represents a sophisticated, multi-stage phishing operation that exploits trusted cloud services to maximize delivery success and evade detection. The attackers abused Google AppSheet to send phishing emails from noreply@appsheet.com, a legitimate and authenticated domain. This allowed the emails to pass Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC) checks, effectively bypassing most spam filters and secure email gateways (Guardio Labs, April 29, 2026; The Hacker News, May 1, 2026; KnowBe4 Threat Lab, May 23, 2025).
The phishing emails impersonated Meta Support and used urgent language to induce panic, such as warnings about imminent account deletion or policy violations. Upon clicking the embedded links, victims were directed to phishing sites hosted on Netlify (for fake Facebook Help Center pages), Vercel (for "Security Check" and "Meta | Privacy Center" pages), or Google Drive (for PDFs containing phishing instructions). These sites were designed to closely mimic legitimate Facebook interfaces, including the use of animated logos and detailed branding, to lower suspicion.
The phishing infrastructure was organized into four main clusters:
Cluster A involved Netlify-hosted Facebook Help Center clones that collected not only usernames and passwords but also dates of birth, phone numbers, and government-issued ID photos. This comprehensive data set enabled attackers to bypass account recovery safeguards.
Cluster B used Vercel-hosted pages offering blue badge evaluations or advertiser rewards, with fake CAPTCHA gates and double-prompt credential harvesting. Victims were asked to re-enter credentials and 2FA codes, increasing the likelihood of successful compromise.
Cluster C distributed Google Drive-hosted PDFs masquerading as Meta notices. Metadata from these PDFs revealed the Vietnamese name "PHẠM TÀI TÂN," directly linking the operation to Vietnamese threat actors.
Cluster D impersonated recruiters from well-known companies, including WhatsApp, Meta, Adobe, Pinterest, Apple, and Coca-Cola, to lure victims into further engagement on attacker-controlled sites.
The phishing sites employed advanced techniques such as man-in-the-middle (MitM) proxies. When victims entered their credentials and 2FA codes, the sites relayed this information in real time to the legitimate Facebook service, enabling attackers to hijack sessions and bypass 2FA protections (KnowBe4 Threat Lab, May 23, 2025).
Exfiltration of stolen data was conducted via Telegram bots, with operator panels providing real-time control and monitoring. Approximately 30,000 victim records were observed in attacker-controlled Telegram channels, with the majority of victims located in the United States, followed by Italy, Canada, the Philippines, India, Spain, Australia, the United Kingdom, Brazil, and Mexico. Over 50 countries were affected in total (Guardio Labs, April 29, 2026).
The compromised data included Facebook account credentials, 2FA codes, dates of birth, phone numbers, government-issued ID photos, business information, contact details, browser screenshots, and, in some cases, credit card and financial data. Victims experienced account lockouts, business disruptions, fraudulent activity, and financial loss. Stolen accounts and PII were sold on underground markets, with compromised accounts further used for disinformation, fake endorsements, fraudulent storefronts, and identity laundering.
Attribution to Vietnamese threat actors is supported by direct technical evidence, including PDF metadata, Telegram infrastructure, and open-source intelligence linking to a Vietnamese digital marketing website (phamtaitan[.]vn). The operation demonstrates a high level of organization, continuous evolution, and a criminal-commercial feedback loop.
The attack methods align with several MITRE ATT&CK techniques, including T1566.003 (Phishing via Service), T1583.006 (Acquire Infrastructure: Web Services), T1556.002 (Modify Authentication Process: Adversary-in-the-Middle), T1557 (Man-in-the-Middle), T1041 (Exfiltration Over C2 Channel), and T1567.002 (Exfiltration Over Web Service: Exfiltration to Cloud Storage).
Affected Versions & Timeline
The campaign primarily targeted Facebook Business account owners and page administrators, with evidence of activity dating back to March 2025. The largest spike in phishing emails was observed on April 20, 2025, with continued activity through April 2026. The technical infrastructure abused legitimate versions of Google AppSheet, Netlify, Vercel, and Google Drive. There is no evidence that vulnerabilities in these platforms themselves were exploited; rather, their legitimate features were abused for malicious purposes.
Timeline of key events:
March 2025: Surge in AppSheet-powered phishing attacks impersonating Meta observed by KnowBe4 Threat Labs (KnowBe4 Threat Lab, May 23, 2025).
April 20, 2025: Largest spike in AppSheet phishing emails detected.
May 2025: KnowBe4 publishes technical analysis of the campaign.
April 29, 2026: Guardio Labs publishes in-depth technical report, mapping 30,000+ victims and attributing the campaign to Vietnamese threat actors (Guardio Labs, April 29, 2026).
May 1, 2026: The Hacker News publishes a summary and sector analysis based on Guardio’s findings (The Hacker News, May 1, 2026).
Threat Activity
The threat actors behind AccountDumpling demonstrated advanced operational capabilities, including real-time operator panels, continuous evolution of phishing lures, and sophisticated evasion techniques. The campaign targeted high-value Facebook Business accounts, leveraging urgent and personalized lures to maximize engagement. The use of Google AppSheet for email delivery ensured high deliverability and trust, while the hosting of phishing infrastructure on Netlify, Vercel, and Google Drive further reduced the likelihood of detection.
Credential harvesting was enhanced through double-prompt techniques and man-in-the-middle proxies, enabling attackers to bypass 2FA and gain immediate access to victim accounts. Exfiltration via Telegram bots allowed for rapid monetization and operational agility. The campaign’s criminal-commercial loop involved selling stolen accounts and PII on underground markets, with some victims reporting subsequent credit card abuse and financial loss.
Attribution to Vietnamese threat actors is supported by direct technical artifacts, including PDF metadata and Telegram infrastructure, as well as open-source intelligence linking to a Vietnamese digital marketing website. The operation is consistent with a broader pattern of Vietnamese-linked campaigns targeting Facebook assets for monetization.
Mitigation & Workarounds
Critical: Organizations should implement advanced email security solutions capable of detecting phishing attempts that leverage trusted cloud services such as Google AppSheet. Security teams must configure email gateways to flag or quarantine emails from workflow automation platforms when they contain suspicious content or impersonate high-value brands.
Critical: Enforce strict multi-factor authentication (MFA) policies for all Facebook Business accounts and associated email accounts. Where possible, use hardware-based security keys (FIDO2/U2F) instead of SMS or app-based 2FA, as these are less susceptible to man-in-the-middle attacks.
High: Conduct regular security awareness training for employees, emphasizing the risks of phishing emails that appear to originate from trusted platforms and the importance of verifying sender addresses and URLs before entering credentials.
High: Monitor for unauthorized access or suspicious activity on Facebook accounts, including changes to account recovery information, login attempts from unusual locations, and new device registrations.
Medium: Review and restrict the use of third-party workflow automation tools and cloud services that can send emails on behalf of the organization. Implement allow-lists and block-lists as appropriate.
Medium: Encourage users to report suspicious emails and phishing attempts to IT or security teams for investigation and response.
Low: Periodically audit business social media accounts for signs of compromise, such as unexpected posts, changes in page ownership, or new administrators.
If compromise is suspected, immediately reset all credentials, revoke active sessions, and review account recovery options. Notify affected users and consider engaging with law enforcement or incident response professionals for further investigation.
References
The Hacker News, May 1, 2026: https://thehackernews.com/2026/05/30000-facebook-accounts-hacked-via.html
Guardio Labs, April 29, 2026: https://guard.io/labs/accountdumpling---hunting-down-the-google-sent-phishing-wave-compromising-30-000-facebook-accounts
KnowBe4 Threat Lab, May 23, 2025: https://blog.knowbe4.com/impersonating-meta-powered-by-appsheet-a-rising-phishing-campaign-exploits-trusted-platforms-to-evade-detection
About Rescana
Rescana provides a Third-Party Risk Management (TPRM) platform designed to help organizations identify, assess, and monitor risks associated with external vendors and cloud services. Our platform enables continuous monitoring of supply chain exposures, detection of phishing infrastructure leveraging trusted platforms, and rapid response to emerging threats. For questions or further information, contact us at ops@rescana.com.
