Vietnamese-linked threat actors compromise 30,000 Facebook accounts via Google AppSheet phishing campaign
AI-generated from multiple sources. Verify before acting on this reporting.
A phishing campaign orchestrated by Vietnamese-linked threat actors has compromised approximately 30,000 Facebook accounts across multiple countries, security researchers said Monday. The attackers exploited Google AppSheet to harvest user credentials and personal data by deceiving victims into believing their accounts faced imminent deletion.
The operation, identified through metadata analysis linking the actors to the name 'PHẠM TÀI TÂN', targeted users in the United States, Italy, Canada, the Philippines, India, Spain, Australia, the United Kingdom, Brazil, and Mexico. Victims received messages warning of account suspension, prompting them to enter login information on fraudulent pages hosted through the cloud-based development platform.
Once users submitted their credentials, the attackers gained access to personal data and account control. The stolen accounts are being sold on underground digital marketplaces for monetary gain, according to cybersecurity analysts tracking the incident. The scale of the breach represents one of the largest credential harvesting operations targeting Facebook users in recent months.
The campaign utilized Google AppSheet, a low-code development tool, to create convincing phishing interfaces that mimicked official Facebook security pages. The sophistication of the operation suggests organized criminal activity rather than opportunistic hacking. Victims reported receiving urgent notifications claiming their accounts contained policy violations or suspicious activity, creating pressure to act quickly.
Facebook has not yet issued a public statement regarding the specific breach, though the company routinely advises users to enable two-factor authentication and review active login sessions. Google AppSheet has not commented on the misuse of its platform in this campaign.
Cybersecurity experts warn that compromised accounts often serve as entry points for further attacks, including identity theft, financial fraud, and the spread of disinformation. The stolen credentials may also be used to reset passwords for other services where users reuse login information.
The incident highlights the growing use of legitimate cloud platforms by threat actors to conduct large-scale phishing operations. Unlike traditional phishing sites hosted on malicious domains, attacks leveraging trusted services like Google AppSheet can bypass some security filters and appear more credible to victims.
Authorities in affected countries have not announced investigations into the specific actors behind the campaign. The identity of PHẠM TÀI TÂN remains unconfirmed, and no arrests have been made. Questions remain about whether the campaign is part of a larger operation or a standalone effort by the threat group.
Security researchers continue to monitor underground marketplaces for the sale of compromised accounts. The full extent of the data breach and potential financial losses for victims remain unclear as the investigation develops.