{"id":783,"date":"2026-05-01T20:00:58","date_gmt":"2026-05-01T20:00:58","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=783"},"modified":"2026-05-01T20:00:58","modified_gmt":"2026-05-01T20:00:58","slug":"30000-facebook-accounts-hacked-via-google-appsheet-phishing-campaign","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=783","title":{"rendered":"30,000 Facebook Accounts Hacked via Google AppSheet Phishing Campaign"},"content":{"rendered":"
\n

\ue804<\/i>Ravie Lakshmanan<\/span>\ue802<\/i>May 01, 2026<\/span><\/span>Malware \/ Threat Intelligence<\/span><\/p>\n<\/div>\n

\n
<\/a><\/div>\n

A newly discovered Vietnamese-linked operation has been observed using a Google AppSheet as a \u00abphishing relay\u00bb to distribute phishing emails with an aim to compromise Facebook accounts.<\/p>\n

The activity has been codenamed AccountDumpling<\/strong> by Guardio, with the scheme selling the stolen accounts back through an illicit storefront run by the threat actors. In all, roughly 30,000 Facebook accounts are estimated to have been hacked as part of the campaign.<\/p>\n

\u00abWhat we found wasn’t a single phishing kit,\u00bb security researcher Shaked Chen wrote<\/a> in a report shared with The Hacker News. \u00abIt was a living operation with real-time operator panels, advanced evasion, continuous evolution and a criminal-commercial loop that quietly feeds on the same accounts it helps steal back.\u00bb<\/p>\n

The findings are just the latest example of how Vietnamese threat actors continue to embrace various tactics to gain unauthorized access to victims’ Facebook accounts, which are then sold on underground ecosystems for monetary gain.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

The starting point of the latest attacks is a phishing email targeting Facebook Business account owners, claiming to be from Meta Support and urging them to submit an appeal, or risk getting their account permanently deleted. The emails are sent from a Google AppSheet address (\u00abnoreply@appsheet.com\u00bb), allowing them to bypass spam filters.<\/p>\n

This false sense of urgency is used to direct users to a fake web page designed to harvest their credentials. It’s worth noting that a similar campaign was reported by KnowBe4 in May 2025.<\/p>\n

\"\"<\/a><\/div>\n

Over the past few weeks, these campaigns have adopted various kinds of lures designed to induce a \u00abMeta-related panic.\u00bb These range from account disablement and copyright complaints to verification review, executive recruitment, and Facebook login alerts. The four main clusters identified by Guardio are listed below –<\/p>\n