AccountDumpling Phishing Campaign Uses Google AppSheet to Steal Facebook Accounts

A phishing operation called AccountDumpling has compromised more than 30,000 Facebook accounts by abusing trusted online services instead of using obvious spoofed emails. The campaign mainly targets Facebook Business users, page admins, and advertisers.

Guardio Labs says the attackers used Google AppSheet as a phishing relay, which helped their emails pass normal authentication checks. The messages came from legitimate Google infrastructure, so many security filters treated them as trusted notifications.

The campaign also used Netlify, Vercel, Google Drive, Canva, and Telegram across different stages of the attack. This made the operation harder to detect because the attackers spread the phishing chain across well-known platforms.

How AccountDumpling works

The attack starts with an email that creates panic around a Facebook account. Victims may see claims about copyright violations, account disablement, Blue Badge verification, security checks, or business account problems.

The emails often come from [email protected] through Google AppSheet notifications. Since Google sends the message, checks such as SPF, DKIM, and DMARC can pass even though the content leads users into a phishing flow.

That is the core trick in this campaign. The email sender looks legitimate at a technical level, but the message content pushes users toward fake Meta or Facebook pages designed to steal account access.

At a glance

Campaign name	AccountDumpling
Main target	Facebook users, Business account owners, page admins, and advertisers
Estimated victims	More than 30,000 compromised Facebook accounts
Main delivery method	Google AppSheet notification emails
Platforms abused	Google AppSheet, Netlify, Vercel, Google Drive, Canva, and Telegram
Main goal	Credential theft, identity collection, account takeover, and resale

Four phishing paths lead to the same goal

Guardio Labs identified four major clusters in the operation. Each cluster used a different lure, but all of them focused on taking over Facebook accounts with real business value.

One cluster used Netlify-hosted fake Facebook Help Center pages. These pages warned users about account disablement, trademark complaints, or policy violations, then asked for login details, phone numbers, dates of birth, and government ID photos.

Another cluster promised rewards or verification benefits. These pages used Vercel-hosted phishing sites that looked like Meta security checks or privacy pages and collected passwords plus two-factor authentication codes.

Attackers used Google Drive PDFs and fake job offers

A more advanced cluster used Google Drive-hosted PDFs created with Canva. The PDFs looked like Meta notices, but links inside them led to live phishing panels where attackers could control the victim’s flow in real time.

These live panels could request passwords, 2FA codes, ID photos, and even screenshots from the victim’s browser. This gave the operators a better chance of bypassing account recovery and security checks.

The fourth cluster used fake recruitment messages from well-known brands, including Meta, WhatsApp, Apple, Adobe, Pinterest, Coca-Cola, Threads, and Ray-Ban Meta. Instead of sending victims straight to a phishing form, the attackers tried to move them into live conversations.

Telegram helped operators collect stolen data

Telegram played a central role in the campaign. Guardio found that stolen credentials, contact details, 2FA codes, and identity documents were sent to attacker-controlled Telegram bots and private channels.

This gave operators a real-time feed of stolen data. They could test logins, request more details, and take over accounts while victims were still interacting with the fake pages.

Guardio estimated the 30,000 victim count by analyzing multiple Telegram bot datasets. One dataset showed that 68.6 percent of victims were in the United States, although users from more than 50 countries appeared in the campaign.

Why Facebook Business accounts are valuable

Facebook Business accounts can hold ad access, payment methods, brand pages, and audience data. Once attackers take control, they can run scams, launch fraudulent ads, impersonate trusted businesses, or sell the account to another buyer.

The AccountDumpling operation also appears to follow a circular criminal model. Guardio says stolen accounts were pushed into a market where attackers could sell access or offer recovery-style services to victims.

This turns trust into a product. A stolen business account does not only hurt one victim, since attackers can use it to target customers, followers, and other businesses later.

What users and businesses should do now

• Do not trust an email only because it passes SPF, DKIM, or DMARC checks.
• Check the destination URL before entering Facebook or Meta login details.
• Use phishing-resistant two-factor authentication where possible.
• Review Facebook Business Manager users, admins, payment methods, and ad accounts.
• Remove unknown devices, sessions, and recovery contacts from Facebook accounts.
• Report suspicious AppSheet, Netlify, Vercel, or Google Drive links to the platform hosting them.
• Train page admins to treat urgent “account disablement” and “Blue Badge” emails with caution.

The bigger lesson for security teams

AccountDumpling shows why modern phishing is harder to stop with email authentication alone. A message can come from a real service and still lead to a malicious page.

Security teams need to inspect message intent, landing pages, redirects, and user behavior. They also need alerts for unusual Facebook Business changes, new admins, new ad activity, and suspicious recovery attempts.

For Facebook users and businesses, the safest approach is simple. Treat urgent account warnings as suspicious, open Meta tools directly from the official site, and never upload ID documents through links received by email.

FAQ