30,000 Facebook Accounts Compromised via Google AppSheet Phishing Campaign

A Vietnamese-linked operation codenamed AccountDumpling by Guardio Labs compromised approximately 30,000 Facebook accounts by sending phishing emails through Google AppSheet's legitimate notification system. The emails, sent from noreply@appsheet.com, passed SPF, DKIM, and DMARC checks because they originated from Google's own infrastructure. Phishing lures impersonated Meta Support with account disablement, copyright complaints, and fake job offers. Stolen data included credentials, 2FA codes, personal information, and government ID photos, exfiltrated to Telegram channels. 68.6% of victims were from the United States, followed by the UK, Canada, and Italy. Metadata traced the operation to an individual named Phạm Tài Tân.