Vietnamese-Linked Phishing Operation Hijacks 30,000 Facebook Accounts via Google AppSheet A newly uncovered cybercriminal operation, dubbed AccountDumpling by Guardio Labs, has exploited Google AppSheet as a phishing relay to compromise approximately 30,000 Facebook accounts. The campaign, attributed to Vietnamese threat actors, targets business account owners with deceptive emails impersonating Meta Support, warning of imminent account deletion unless users submit an appeal. The attack begins with phishing emails sent from a Google AppSheet address ([email protected]), bypassing spam filters by leveraging the platform’s legitimacy. Victims are directed to fake Meta-branded pages hosted on Netlify, Vercel, or disguised as Google Drive PDFs where they are tricked into entering credentials, two-factor authentication (2FA) codes, government ID photos, and other sensitive data. Stolen information is exfiltrated to attacker-controlled Telegram channels, which collectively hold records from victims across the U.S., Italy, Canada, the Philippines, and other countries. The operation employs multiple lures, including: - Fake Meta appeals (e.g., account disablement, copyright complaints, or verification reviews). - Blue badge evaluation scams, using bogus CAPTCHA checks to harvest credentials. - Google Drive-hosted PDFs (created via Canva) that mimic verification instructions. - Fake job offers impersonating companies like Meta, WhatsApp, and Adobe to build trust before redirecting victims to malicious sites. Metadata from the Canva-generated PDFs led researchers to a Vietnamese individual, PHẠM TÀI TÂN, whose website (phamtaitan[.]vn) advertises digital marketing services. Open-source intelligence suggests the operation is part of a broader underground economy where stolen Facebook accounts along with associated ad reputations and recovery access are monetized through illicit storefronts. The campaign reflects a growing trend of Vietnamese threat actors repurposing trusted platforms (e.g., Google AppSheet, Netlify, Vercel) to scale phishing attacks, highlighting the commodification of compromised social media assets in cybercrime markets.

ShinyHunters-Linked Cybercrime Campaign Targets Over 100 Major Organizations A recent cybercrime campaign attributed to the ShinyHunters group has targeted at least 100 organizations across multiple sectors, including software, finance, healthcare, and energy, according to cybersecurity firm Silent Push. Over the past 30 days, threat actors registered fake domains impersonating high-profile companies such as Atlassian, Adyen, Canva, Epic Games, HubSpot, Moderna, ZoomInfo, GameStop, WeWork, Halliburton, Sonos, and Telstra. The attackers employed voice phishing (vishing) tactics to compromise single sign-on (SSO) accounts, particularly those using Okta and other identity platforms. Using specialized phishing kits, they intercepted credentials and manipulated victims into bypassing multi-factor authentication (MFA) by convincing them to approve push notifications or submit one-time passcodes (OTPs). Okta described the attacks as involving real-time session orchestration, where threat actors guided victims through the authentication process via verbal instructions. While Silent Push identified the infrastructure used in the campaign, it remains unclear whether the attacks successfully breached any systems. However, ShinyHunters has claimed responsibility for data breaches at companies like Betterment, Crunchbase, and SoundCloud, all of which confirmed incidents. The group allegedly stole millions of records from these organizations as part of the Okta SSO vishing campaign. Silent Push attributes the campaign to Scattered LAPSUS$ Hunters, a collective formed last year by members of Lapsus$, Scattered Spider, and ShinyHunters, based on observed tactics, techniques, and procedures (TTPs). The incident follows recent warnings from Google and others about rising vishing and phishing attacks targeting identity platforms.

Canva experienced a critical security incident caused by a leaked hardcoded secret, leading to days of downtime across multiple engineering teams. The breach diverted critical resources—originally allocated for product development—toward incident containment and remediation. The exposed secret enabled potential lateral movement risks, though no large-scale data exfiltration was publicly confirmed. The financial and operational impact included lost productivity, delayed projects, and reputational harm, compounded by the strain on an already lean security team. The incident highlights the cascading effects of unmanaged credentials in modern DevOps environments, where a single exposed API key or token can disrupt core business functions. While no customer data leak was reported, the operational outage aligned with high-severity internal disruptions, reinforcing the cost of credential mismanagement in scaled-down organizations.

A Chroma database operated by Russian AI chatbot startup My Jedai was found exposed online, leaking survey responses from over 500 Canva Creators. The exposed data included email addresses, feedback on Canva’s Creator Program, and personal insights into the experiences of designers across more than a dozen countries. The data exposure was discovered by cybersecurity firm UpGuard, which confirmed the database was publicly accessible and lacked authentication.

The "Mother of All Breaches": 26 Billion Records Exposed in Unprecedented Data Leak Security researchers have uncovered what may be the largest compilation of stolen credentials in history a 12-terabyte database dubbed the "Mother of All Breaches" (MOAB), containing 26 billion records from thousands of prior data leaks. Discovered by researcher Bob Dyachenko of SecurityDiscovery.com in collaboration with Cybernews, the dataset was found on an open, publicly accessible server, though its owner remains unknown. Unlike a single hack, the MOAB is a "compilation of breaches" (COB), aggregating credentials from major platforms, including: - 1.5 billion records from Tencent - 504 million from Weibo - 360 million from MySpace - 281 million from Twitter (X) - Millions more from LinkedIn, Adobe, Canva, Deezer, AdultFriendFinder, and others The dataset also includes records from government organizations in the U.S., Brazil, Germany, the Philippines, and Turkey, amplifying risks for both individuals and enterprises. ### Why This Breach Is a Game-Changer The MOAB’s danger lies in its consolidation and accessibility. Instead of scattered leaks, attackers now have a single, searchable repository for credential stuffing, phishing, and targeted attacks. While many passwords are outdated, the sheer volume ensures some will still work especially given widespread password reuse. Worse, experts warn the dataset may include fresh data from infostealer malware, which harvests current credentials, browser cookies, and autofill details. This hybrid threat combining historical breaches with live infections creates a highly effective tool for cybercriminals, from low-level fraudsters to initial access brokers (IABs) selling corporate network access to ransomware gangs. ### The Fallout: A New Era of Cyber Risk The MOAB’s impact extends beyond individuals. Corporate and government networks are at heightened risk due to employees reusing passwords across personal and work accounts. A single compromised credential could provide attackers with a foothold for devastating intrusions. Security experts emphasize that password-only authentication is now obsolete against such a vast dataset. The breach underscores the urgent need for multi-factor authentication (MFA), particularly phishing-resistant methods like FIDO2 security keys. Continuous monitoring of credentials against breach databases is also critical. With the data now in the wild, the MOAB will fuel cyberattacks for years, marking a sobering shift in the threat landscape. The leak serves as a stark reminder: once exposed, data never truly disappears it only becomes more dangerous.

In May 2019, Australian unicorn Canva experienced a substantial data breach, impacting 137 million users. A cybercriminal known as Gnosticplayers managed to breach Canva's security defenses but was detected by Canva's system monitoring for malicious activities. Despite the quick intervention, the hacker had already accessed a wealth of user data, including usernames, real names, email addresses, country of origin, encrypted passwords, and partial payment data. This breach was notable not only for its scale but also because the attacker chose to publicize the breach in a communication with ZDNet, diverging from the usual practice of keeping a low profile on dark web forums. Canva responded by notifying affected users, particularly those with decrypted passwords, advising them to change their passwords. Additionally, Canva reset passwords for users who hadn't updated theirs in the past six months, demonstrating the company's proactive stance on user security post-incident.