Uncovering AccountDumpling: How a Vietnamese-Linked Phishing Campaign Hijacked 30,000 Facebook Accounts

In a concerning cybersecurity development, researchers have uncovered a sophisticated phishing campaign attributed to a Vietnamese-linked group that leveraged Google AppSheet as an unwitting intermediary. Dubbed AccountDumpling, this operation successfully compromised roughly 30,000 Facebook accounts by using deceptive emails that routed victims through legitimate AppSheet forms. The stolen credentials were then resold via an underground storefront operated by the attackers. Below, we break down the most pressing questions about this threat.

What is the AccountDumpling phishing campaign?

The AccountDumpling campaign is a large-scale phishing operation discovered by cybersecurity firm Guardio. It specifically targets Facebook users, using a novel technique that exploits Google AppSheet—a legitimate low-code application platform—as a "phishing relay." Attackers send emails that appear to be from Facebook, prompting recipients to click a link that leads to a Google AppSheet form. The form then redirects victims to a fake Facebook login page, where they unknowingly surrender their credentials. Guardio estimates that approximately 30,000 Facebook accounts were compromised before the campaign was detected.

Who is behind the AccountDumpling operation?

While investigators have not publicly identified specific individuals, the operation is believed to be linked to Vietnam based on infrastructure analysis, language patterns, and the timing of activities. The group operates with a business-like structure, managing an illegal storefront where stolen Facebook accounts are advertised and sold. This suggests a commercially motivated threat actor, likely part of a cybercrime ring that specializes in credential harvesting and account resale. The codename AccountDumpling was assigned by Guardio to track and discuss the campaign.

How does Google AppSheet feature in this phishing attack?

Google AppSheet is a no-code development platform normally used to build mobile and web apps. The attackers repurposed it as a relay mechanism to bypass traditional email security filters. The phishing email contains a link to a legitimate-looking AppSheet form. When the victim fills in any required fields (often benign ones like name or email), the form automatically redirects them to a malicious landing page mimicking Facebook’s login screen. Because the initial interaction uses Google’s infrastructure, security tools see it as trustworthy, allowing the email to pass through spam filters.

What happens to the stolen Facebook accounts?

Once credentials are harvested, the accounts are sold through an illicit storefront operated by the same threat actors. Prices vary depending on the account’s age, activity level, number of friends, and other factors. Buyers—often other cybercriminals or spammers—use these accounts for fraud, spreading malware, impersonation, or launching further phishing attacks. The scale of 30,000 accounts represents a significant cache of compromised identities, amplifying the risk for both individual victims and their social networks.

How can users protect themselves from similar phishing attacks?

To avoid falling victim to campaigns like AccountDumpling, adopt these best practices:

• Inspect URLs carefully: Even if a link seems to come from a trusted platform like Google, hover over it to see the actual destination before clicking.
• Enable two-factor authentication (2FA) on your Facebook account—this adds an extra layer of protection even if your password is stolen.
• Be wary of unexpected emails that ask you to log in or provide personal information, even if they look official.
• Use a password manager: It will auto-fill credentials only on legitimate sites, helping you spot fake login pages.

What has Google done in response to this threat?

Google removed the malicious AppSheet forms as soon as Guardio reported them, and has implemented additional automated scanning to detect similar abuse in the future. However, the platform remains vulnerable to misuse because AppSheet is designed for legitimate business use. The incident highlights a broader challenge: cybercriminals increasingly exploit trusted services (Google, Microsoft, etc.) to mask their activities. Users are advised not to rely solely on platform providers but to remain vigilant against social engineering tactics.