![[FI] The Exploit Part 1](https://mortgageworkspace.com/hs-fs/hubfs/blog-images/exploit-pt1-the-leak-hero.jpg?width=1200&height=571&name=exploit-pt1-the-leak-hero.jpg)
In This Article
On a Thursday morning in October 2023, Mr. Cooper's security team realized something was wrong. Systems that had been running normally hours earlier were suddenly unresponsive. Customer portals went dark. Payment processing stopped. By the time the breach was contained, hackers had accessed personal and financial records belonging to 14.7 million current and former customers — including data dating back to when the company operated as Nationstar Mortgage.
The stolen files included Social Security numbers, bank account details, and complete mortgage histories. Mr. Cooper spent over $25 million on incident response. Customers couldn't make mortgage payments for four days. And the data — the real prize — was already circulating on underground forums where buyers pay premium prices for "fullz" records from financial institutions.
This is how every modern cyber heist begins. Not with sophisticated code or zero-day exploits, but with stolen credentials and patient reconnaissance. This is Part 1 of a four-part series tracking each phase of the kill chain that credit unions, banks, and mortgage companies face today.
Mr. Cooper Data Breach
14.7 million customer records stolen — including SSNs, bank accounts, and mortgage data dating to 2001. Systems offline for 4 days. Over $25 million in incident costs. Attackers accessed records from the company's years operating as Nationstar Mortgage, exposing two decades of borrower data.
Sources: SEC filing (Dec 2023), TechCrunch, BleepingComputer
The Mr. Cooper Breach: 14.7 Million Records Stolen
Mr. Cooper is the largest non-bank mortgage servicer in the United States, handling over $900 billion in unpaid principal balance across roughly 4 million loans. When attackers breached their network in October 2023, they didn't grab a random slice of data. They methodically exfiltrated records spanning more than two decades of lending history.
The breach exposed everything an identity thief needs: full names, Social Security numbers, dates of birth, bank account numbers, and detailed mortgage payment histories. For many victims, this data was more comprehensive than what their own banks held on file.
Mr. Cooper shut down customer-facing systems for four days. Borrowers couldn't log in to check balances, make payments, or access their accounts. The company reported over $25 million in direct incident costs — forensic investigation, credit monitoring for 14.7 million people, legal fees, and system rebuilding.
But the real damage extends far beyond the incident itself. Stolen mortgage data retains value for years. A Social Security number paired with a mortgage payment history, bank account, and home address creates what dark web brokers call a "premium fullz" — a complete identity profile worth significantly more than a stolen credit card number that expires in months.
Why This Matters for Credit Unions, Banks, and Mortgage Companies
Mr. Cooper's breach didn't stay contained. Borrower records dating to 2001 surfaced on underground forums where threat actors buy, trade, and weaponize stolen identities. If your institution handles mortgage servicing — even if you've never been breached directly — your borrowers' data may already be circulating because a third-party servicer or vendor was compromised. The question isn't whether stolen credentials exist with your domain name attached. It's whether you're monitoring for them.
How Stolen Credentials Fuel the Dark Web Pipeline
Every data breach feeds a pipeline. Stolen credentials move through a predictable lifecycle on underground forums, and financial institution data commands the highest prices.
Breach and Exfiltration
Attackers access an organization's network — often through a compromised vendor, unpatched vulnerability, or phished employee credential. Data is exfiltrated slowly, in small packets disguised as normal traffic, to avoid triggering alerts.
Initial Sale on Dark Web Forums
Stolen records appear for sale on underground forums within days. Financial institution data sells at a premium — a complete "fullz" record (SSN + bank account + address + employment) from a mortgage company sells for $30 to $80, compared to $5 to $15 for a basic credit card number.
Credential Cracking and Correlation
Threat actors cross-reference leaked email addresses against breach databases from other platforms. If an employee reuses passwords across a webinar platform, a personal email account, and their corporate login, one compromised password unlocks all three.
Weaponization
Working credentials are packaged into "target profiles" — the employee's name, title, reporting structure, vendor relationships, recent projects, and validated login credentials. These profiles are sold to attackers who specialize in spear-phishing campaigns against financial institutions.
This pipeline runs continuously. The ITRC reports that while total breach volume declined slightly in 2025, the number of individuals affected actually increased — meaning each breach is capturing larger, more complete data sets. Attackers are getting more selective and more efficient.
For credit unions, banks, and mortgage companies, the pipeline creates a compounding problem. A single breach at one vendor can expose credentials that unlock access to dozens of institutions downstream. When Marquis Software Solutions was breached through a SonicWall firewall vulnerability in August 2025, attackers accessed data from 74 banks and credit unions and more than 780,000 individuals — all through one compromised vendor.
The Reconnaissance Playbook: From LinkedIn to Loan Files
Stolen credentials are just the starting point. What separates a mass-spray phishing campaign from a targeted attack on your institution is reconnaissance — the hours an attacker spends building a profile of your organization, your employees, and your vendors before sending a single email.
The financial services sector absorbs 27.7% of all phishing attempts globally. That targeting isn't random. Attackers invest in reconnaissance because the payoff from a successful attack on a credit union, bank, or mortgage company far exceeds what they'd extract from a retailer or manufacturer.
What Attackers Find Publicly
- Employee names, titles, and reporting structure (LinkedIn)
- Vendor relationships and technology stack (conference posts, case studies)
- Project milestones and closing dates (social media)
- Office locations, badge photos, desk setups (Instagram, X)
- Email format patterns (firstname.lastname@domain)
What That Information Unlocks
- Spear-phishing emails addressed by name with correct job context
- Fake vendor invoices referencing real technology and real projects
- Wire transfer requests timed to actual closing dates
- Physical security bypass (tailgating using recognized faces)
- Credential stuffing targeted at confirmed email addresses
A loan officer posts on LinkedIn about closing a record quarter. A processor mentions switching to a new document management system. An underwriter shares a photo from a team offsite with their badge visible. Each piece is harmless in isolation. Combined, they give an attacker enough context to craft a phishing email that feels completely legitimate — because it references real people, real projects, and real vendor relationships.
This is the technique that drove Babatunde Ayeni's $19.6 million BEC scheme, which targeted 231 real estate closings between 2020 and 2024. Ayeni's team didn't hack firewalls. They phished title company employees, monitored closing communications, and sent fraudulent wire instructions at exactly the right moment — when a real closing was happening and everyone expected a wire transfer request.
The Wells Fargo Insider: 200,000 Records Sold in Days
Not every data breach starts with an external attacker. In September 2025, a former Wells Fargo employee was identified as the source of 200,000 customer records that appeared for sale on the Dread Forum — one of the largest dark web marketplaces.
Wells Fargo Insider Data Theft
A former employee sold 200,000 customer records — including SSNs, bank account numbers, and routing numbers — on the Dread Forum. The records were packaged as "premium fullz" and sold within days. Buyers had complete identity profiles: enough to open accounts, redirect deposits, and file fraudulent tax returns.
Sources: Kaduu, DarknetSearch, multiple security researchers
The Wells Fargo case illustrates a category of risk that perimeter defenses can't address. The data wasn't exfiltrated through a firewall breach or a phishing campaign. It walked out the door with someone who had legitimate access. And because the employee had left the organization before the theft was discovered, the exposure window stretched months before anyone noticed.
FinWise Bank faced the same pattern when a former employee continued accessing customer data for two years after termination, compromising 689,000 American First Finance customer records. The breach wasn't discovered until May 2024 — long after the data had been harvested.
| Incident | Date | Records Exposed | Attack Vector | Detection Time |
|---|---|---|---|---|
| Mr. Cooper | Oct 2023 | 14.7 million | Network intrusion | Days |
| LoanDepot | Jan 2024 | 16.6 million | Ransomware | Days |
| Marquis Software | Aug 2025 | 780,000+ | SonicWall vulnerability | Weeks |
| Wells Fargo (insider) | Sep 2025 | 200,000 | Former employee | Months |
| FinWise Bank (insider) | 2022–2024 | 689,000 | Former employee (2 years) | 2+ years |
| SRP Federal CU | Sep–Nov 2024 | 240,000 | Ransomware | 2 months |
These numbers tell a clear story: financial institutions of every size are targets. The common thread isn't the sophistication of the attack — it's the gap between compromise and detection. Weeks. Months. In FinWise Bank's case, more than two years.
The question for credit unions, banks, and mortgage companies isn't whether stolen credentials with your domain name exist on the dark web. It's whether you're monitoring for them before attackers use them.
Breaking the First Link in the Kill Chain
Every incident in this article shares a root cause: credentials that were exposed, stolen, or misused — and nobody knew until the damage was done. This is the first link in the cyber kill chain, and it's where prevention delivers the highest return.
The controls that break this link aren't theoretical. They're deployed across the Microsoft 365 environment that most financial institutions already pay for:
Leaked credential detection and automated response. Guardian leverages Microsoft Entra ID Protection's leaked credential detection, which continuously checks user password hashes against known breach databases, public paste sites, and credentials surfaced by Microsoft's threat intelligence teams and law enforcement partnerships. When a match is found, risk-based Conditional Access policies automatically force a password reset and MFA challenge — before the compromised credential can be exploited. If Mr. Cooper's third-party vendors had this detection and auto-remediation in place, downstream exposure from their breach would have been identified and contained faster.
Entra ID configuration and Conditional Access. Block legacy authentication protocols that bypass modern controls. Enforce device compliance requirements. Restrict access from unmanaged devices and suspicious locations. These policies stop credential stuffing attacks even when the attacker holds a valid password — because the password alone isn't enough.
Automated privilege access reviews. The Wells Fargo and FinWise Bank insider breaches both exploited access that persisted after the employee left. Automated access reviews in Entra ID flag dormant accounts and unused elevated permissions. Guardian's hardening protocols include service account auditing and regular privilege reviews.
Password policy enforcement and credential hygiene. The FTC Safeguards Rule requires mortgage lenders to implement multi-factor authentication for anyone accessing customer information. But MFA without credential hygiene leaves gaps — password reuse across platforms, weak hashes from legacy systems, and shared service accounts all create exposure that MFA alone doesn't cover.
These controls aren't bolt-on security products. They're configurations within the Microsoft environment — Entra ID, Defender, Purview, and Sentinel — activated and monitored by a team that understands how financial institutions actually operate.
ABT deploys this stack across 750+ credit unions, banks, and mortgage companies. No third-party MSP platforms like ConnectWise, Kaseya, or SolarWinds that add their own supply chain risk. When ConnectWise was breached in February 2024 and again in May 2025, ABT clients had zero exposure — because the attack surface simply didn't exist.
Kill Chain Status — Part 1 of 4
[RECON >>>] Phish > Breach > Heist
You've seen how the kill chain starts: stolen credentials, dark web markets, and patient reconnaissance. In Part 2: The Phish, those stolen credentials become the foundation for AiTM attacks that bypass even multi-factor authentication — and the real-world BEC schemes that have drained $19.6 million from mortgage closings.
Frequently Asked Questions
Microsoft Entra ID Protection includes leaked credential detection that continuously checks user password hashes against known breach databases, public paste sites, and credentials surfaced through Microsoft's threat intelligence partnerships with law enforcement. When a match is found, risk-based Conditional Access policies can automatically force a password reset and MFA challenge before the compromised credential is exploited. For financial institutions handling sensitive borrower data, this early warning system catches stolen passwords before they become the first link in an attack chain. Guardian from ABT configures and monitors these Entra ID Protection signals as part of the broader Microsoft 365 security environment, ensuring alerts are acted on immediately rather than buried in a log.
Over 80% of hacking-related breaches involve stolen or weak credentials, according to Verizon's Data Breach Investigations Report. The financial services sector absorbs 27.7% of all phishing attempts globally, making credit unions, banks, and mortgage companies among the most targeted industries. The FBI's IC3 reported over 859,000 internet crime complaints in 2024 with losses exceeding $16 billion, with business email compromise — which relies on stolen credentials — accounting for $2.8 billion of those losses.
Financial institutions store some of the most sensitive personal and financial data available: Social Security numbers, bank account details, tax returns, employment records, and complete credit histories. This data retains value for years on the dark web. When Mr. Cooper was breached in October 2023, attackers accessed records dating back to 2001. A stolen mortgage "fullz" record — SSN, bank account, address, and employment data — sells for $30 to $80 on underground forums, compared to $5 to $15 for a basic credit card number. The combination of high-value data, complex vendor relationships, and regulatory pressure makes credit unions, banks, and mortgage companies prime targets.
The updated FTC Safeguards Rule requires financial institutions to designate a qualified individual to oversee security, conduct documented risk assessments, implement multi-factor authentication for all system access, encrypt data at rest and in transit, perform regular penetration testing, and maintain a written incident response plan. Institutions must also report breaches affecting 500 or more consumers to the FTC within 30 days of discovery. For mortgage lenders specifically, these requirements apply to anyone with access to customer information — including third-party servicers and vendors.
Every third-party tool in your security stack adds attack surface. When ConnectWise ScreenConnect was breached in February 2024 through a critical authentication bypass vulnerability (CVSS 10.0), MSPs using the platform exposed their downstream clients to Play and LockBit ransomware. ConnectWise was breached again in May 2025 by a nation-state actor. A pure Microsoft stack — using Entra ID, Defender, Purview, and Sentinel — eliminates the MSP platform supply chain entirely. ABT serves 750+ financial institutions on this architecture, which meant zero client exposure during both ConnectWise breaches.
