In a devastating blow to social media security in 2026, cybersecurity experts have confirmed that over 30000 facebook accounts hacked via a highly sophisticated Google AppSheet phishing campaign. This massive breach, meticulously orchestrated by a Vietnamese-linked cybercriminal syndicate, has sent shockwaves through the digital marketing and online business communities. The operation, formally codenamed “AccountDumpling” by security researchers, bypassed traditional email security gateways by abusing legitimate Google infrastructure. By weaponizing trust and inducing widespread panic among Facebook Business page administrators, the attackers successfully built a lucrative criminal enterprise built on stolen digital identities.
The Mechanics of the Attack: Anatomy of AccountDumpling
The ingenuity of the AccountDumpling operation lies in its ability to seamlessly bypass modern spam filters. To execute a successful Facebook Business account takeover, threat actors need their malicious emails to land directly in the primary inbox of their victims, bypassing the sophisticated algorithms of Gmail, Outlook, and other email providers. They achieved this by routing their phishing emails through a Google AppSheet relay. Because the emails originated from the official, highly trusted “[email protected]” address, email clients automatically flagged them as safe.
“What we found wasn’t a single phishing kit. It was a living operation with real-time operator panels, advanced evasion, continuous evolution and a criminal-commercial loop that quietly feeds on the same accounts it helps steal back.”
Once the email reached the victim’s inbox, the psychological manipulation began. The attackers disguised themselves as official “Meta Support” representatives. They crafted urgent, high-stakes messages claiming that the user’s Facebook account was in imminent danger of permanent deletion due to alleged policy violations or copyright complaints. The victims, desperate to save their business pages and ad accounts, were instructed to click a link to submit a formal appeal. This false sense of urgency, often referred to as “Meta-related panic,” is a classic social engineering tactic designed to force quick action without critical thought.
| Phishing Lure Strategy | Psychological Trigger | Victim Action Required |
|---|---|---|
| Account Disablement Warning | Fear of losing business revenue | Clicking “Appeal” link |
| Copyright Infringement Claim | Legal anxiety and reputational damage | Providing verification documents |
| Blue Badge Verification Check | Desire for social status and account security | Entering current passwords and 2FA |
| Fake Executive Job Offers | Financial greed and career advancement | Joining external communication channels |
The Credential Harvesting Network: A Multi-Layered Threat
Clicking the malicious link was only the first step in a highly orchestrated credential harvesting network. The AccountDumpling campaign utilized a multi-layered approach to maximize the data they could extract from panicked users. The attackers systematically abused several legitimate, trusted platforms to host their malicious infrastructure, making it incredibly difficult for standard web security scanners to detect the threat in real-time.
According to comprehensive threat analysis, the phishing pages were categorized into distinct clusters, each designed to evade detection while harvesting maximum data. One of the primary clusters involved Netlify-hosted fake Facebook help center pages. These pages were meticulously designed to look exactly like the real Meta support portals. Here, victims were prompted to enter not just their login credentials, but a wealth of personally identifiable information (PII). This included dates of birth, active phone numbers, and, shockingly, clear photos of government-issued IDs—data crucial for bypassing advanced account recovery protocols.
“These campaigns have adopted various kinds of lures designed to induce a Meta-related panic, effectively blinding users to the subtle signs of a digital scam.”
Another sophisticated cluster utilized Vercel to host fake “Security Check” and “Meta Privacy Center” landing pages. To add a layer of false legitimacy, these pages were gated by bogus CAPTCHA challenges. Once a user completed the fake CAPTCHA, they were led to a phishing form. The attackers even programmed the forms to force a “retry” upon the first submission, ensuring they captured the user’s password twice while simultaneously intercepting live two-factor authentication (2FA) codes. All of this stolen data was instantly exfiltrated and forwarded in real-time to attacker-controlled Telegram channels.
| Platform Abused | Role in Phishing Campaign | Evasion Technique |
|---|---|---|
| Google AppSheet | Email Delivery / Phishing Relay | Using trusted “@appsheet.com” domain |
| Netlify & Vercel | Hosting Fake Meta Support Pages | High-reputation hosting IP addresses |
| Google Drive & Canva | Hosting Malicious PDF Instructions | Embedded links in trusted file formats |
| Telegram | Real-time Data Exfiltration | Encrypted, decentralized data routing |
The Role of Canva and Google Drive
The third major cluster identified by security analysts involved the distribution of Google Drive-hosted PDFs. These documents masqueraded as official step-by-step instructions for completing Facebook account verification. The attackers generated these convincing documents using free Canva accounts. Embedded within these PDFs were links that directed users to malicious sites utilizing ‘html2canvas’ scripts to secretly capture browser screenshots, alongside forms designed to siphon passwords and stolen 2FA codes and credentials. This cross-platform abuse highlights the evolving complexity of modern cyber threats.
| Data Harvested by Attackers | Primary Criminal Use Case |
|---|---|
| Usernames & Passwords | Initial account compromise and lock-out |
| Live 2FA / OTP Codes | Bypassing secondary security measures |
| Government ID Photos | Defeating Meta’s account recovery process |
| Business Credit Card Data | Running fraudulent ad campaigns |
The Dark Market: Vietnamese Threat Actors Exposed
While compiling the data from the intercepted Telegram channels, researchers discovered a staggering volume of stolen information. The databases held approximately 30,000 victim records. These compromised accounts belonged to users primarily located in the United States, Italy, Canada, the Philippines, India, Spain, Australia, the U.K., Brazil, and Mexico. The global scale of the attack indicated a highly organized syndicate.
The “smoking gun” that tied this massive operation together was found hidden within the metadata of the malicious PDFs generated via Canva. Security experts discovered the name “PHẠM TÀI TÂN” listed as the file author. Further open-source intelligence (OSINT) gathering linked this name to a website offering digital marketing services based in Vietnam. The website openly advertised services related to digital marketing strategies and resources, effectively operating as a front for their illicit cyber activities.
“This campaign is bigger than a single AppSheet abuse. It’s a window into the dark market around stolen Facebook assets, where access, business identity, ad reputation, and even account recovery have all become tradable commodities.”
Vietnamese threat actors have steadily gained notoriety in the cybersecurity landscape for their aggressive targeting of Facebook Business accounts. The stolen accounts are not simply held for ransom; they are fed into a sprawling, underground criminal ecosystem. These accounts are highly prized for their established ad reputation, attached payment methods, and broad reach. Cybercriminals purchase these compromised assets to run massive, fraudulent advertising campaigns, spread malware, or conduct further phishing operations, creating a continuous, profitable loop of cybercrime.
| Top Affected Regions | Estimated Impact Level | Target Demographic |
|---|---|---|
| United States & Canada | Severe (High Financial Loss) | High-spend ad account managers |
| Europe (Italy, UK, Spain) | High | Small-to-Medium Enterprise owners |
| Asia-Pacific (India, Philippines, Aus) | High | Digital marketing agencies |
Protecting Your Assets in 2026
The AccountDumpling campaign serves as a stark reminder that email sender domains can no longer be implicitly trusted. As detailed by cybersecurity researchers reporting on the breach, threat actors are continuously finding ways to weaponize legitimate tools like Google AppSheet, Vercel, and Canva. Facebook Business owners must remain hyper-vigilant. It is critical to establish internal protocols for handling account warnings. Never click links directly from emails claiming your account will be disabled. Instead, navigate manually to the official Meta Business Manager dashboard to check for authentic alerts. Furthermore, implementing hardware-based security keys (like YubiKeys) for 2FA provides a much stronger defense against real-time phishing proxy attacks than standard SMS or authenticator app codes.
Frequently Asked Questions
What is the AccountDumpling phishing campaign?
It is a massive cyberattack operation linked to Vietnamese threat actors that successfully compromised over 30,000 Facebook accounts by using fake Meta Support emails sent through Google AppSheet.
How did the phishing emails bypass spam filters?
The attackers used Google AppSheet as a “phishing relay.” By sending the malicious emails from the official, highly trusted “[email protected]” address, email providers did not flag them as spam.
Why are Facebook Business accounts specifically targeted?
Business accounts often have linked credit cards, high daily ad spend limits, and established reputations. Hackers steal these accounts to run fraudulent, high-volume advertising campaigns for their own profit.
What kind of data was stolen during this breach?
The hackers successfully harvested login passwords, live two-factor authentication (2FA) codes, dates of birth, phone numbers, and photographs of government-issued IDs.
How did the hackers use Canva and Google Drive?
They created fake, official-looking PDFs using free Canva accounts and hosted them on Google Drive. These documents contained malicious links that led victims to credential-harvesting websites.
Who is believed to be behind the attack?
Security researchers found metadata within the malicious files linking the operation to “PHẠM TÀI TÂN,” pointing to a large-scale cybercriminal syndicate based in Vietnam.
How can I protect my Facebook Business account from this type of attack?
Never click on links in urgent emails claiming your account is in danger. Always log directly into the official Meta Business Suite to check for real notifications. Additionally, upgrade your security by using hardware security keys instead of standard 2FA codes.
Disclaimer: This article is for informational purposes only. Cybersecurity threats are constantly evolving. Always rely on official communications from platform providers and consult with IT security professionals to protect your digital assets.
