![[FI] The Exploit Part 1](https://mortgageworkspace.com/hs-fs/hubfs/blog-images/the-exploit-anatomy-of-a-modern-cyber-heist-part-1-the-leak-in-the-shadows-hero.jpg?width=1200&height=630&name=the-exploit-anatomy-of-a-modern-cyber-heist-part-1-the-leak-in-the-shadows-hero.jpg)
In This Article
- The Mr. Cooper Breach: 14.7 Million Records Stolen
- How Stolen Credentials Fuel the Dark Web Pipeline
- The Reconnaissance Playbook: From LinkedIn to Loan Files
- The Wells Fargo Insider: 200,000 Records Sold in Days
- Breaking the First Link in the Kill Chain
- Inside the M365 Guardian Stack: Defender and Sentinel
- Frequently Asked Questions
On a Thursday morning in October 2023, Mr. Cooper's security team realized something was wrong. Systems that had been running normally hours earlier were suddenly unresponsive. Customer portals went dark. Payment processing stopped. By the time the breach was contained, hackers had accessed personal and financial records belonging to 14.7 million current and former customers, including data dating back to when the company operated as Nationstar Mortgage.
The stolen files included Social Security numbers, bank account details, and complete mortgage histories. Mr. Cooper spent over $25 million on incident response. Customers couldn't make mortgage payments for four days. And the data, the real prize, was already circulating on underground forums where buyers pay premium prices for "fullz" records from financial institutions.
This is how every modern cyber heist begins. Not with sophisticated code or zero-day exploits, but with stolen credentials and patient reconnaissance. This is Part 1 of a four-part series tracking each phase of the kill chain that credit unions, banks, and mortgage companies face today.
Mr. Cooper Data Breach
14.7 million customer records stolen, including SSNs, bank accounts, and mortgage data dating to 2001. Systems offline for 4 days. Over $25 million in incident costs. Attackers accessed records from the company's years operating as Nationstar Mortgage, exposing two decades of borrower data.
Sources: SEC filing (Dec 2023), TechCrunch, BleepingComputer
The Mr. Cooper Breach: 14.7 Million Records Stolen
Mr. Cooper is the largest non-bank mortgage servicer in the United States, handling over $900 billion in unpaid principal balance across roughly 4 million loans. When attackers breached their network in October 2023, they didn't grab a random slice of data. They methodically exfiltrated records spanning more than two decades of lending history.
The breach exposed everything an identity thief needs: full names, Social Security numbers, dates of birth, bank account numbers, and detailed mortgage payment histories. For many victims, this data was more comprehensive than what their own banks held on file.
Mr. Cooper shut down customer-facing systems for four days. Borrowers couldn't log in to check balances, make payments, or access their accounts. The company reported over $25 million in direct incident costs, covering forensic investigation, credit monitoring for 14.7 million people, legal fees, and system rebuilding.
But the real damage extends far beyond the incident itself. Stolen mortgage data retains value for years. A Social Security number paired with a mortgage payment history, bank account, and home address creates what dark web brokers call a "premium fullz," a complete identity profile worth significantly more than a stolen credit card number that expires in months.
Why This Matters for Credit Unions, Banks, and Mortgage Companies
Mr. Cooper's breach didn't stay contained. Borrower records dating to 2001 surfaced on underground forums where threat actors buy, trade, and weaponize stolen identities. If your institution handles mortgage servicing, even if you've never been breached directly, your borrowers' data may already be circulating because a third-party servicer or vendor was compromised. The question isn't whether stolen credentials exist with your domain name attached. It's whether you're monitoring for them.
How Stolen Credentials Fuel the Dark Web Pipeline
Every data breach feeds a pipeline. Stolen credentials move through a predictable lifecycle on underground forums, and financial institution data commands the highest prices.
Breach and Exfiltration
Attackers access an organization's network, often through a compromised vendor, unpatched vulnerability, or phished employee credential. Data is exfiltrated slowly, in small packets disguised as normal traffic, to avoid triggering alerts.
Initial Sale on Dark Web Forums
Stolen records appear for sale on underground forums within days. Financial institution data sells at a premium. A complete "fullz" record (SSN plus bank account, address, and employment) from a mortgage company sells for $30 to $80, compared to $5 to $15 for a basic credit card number.
Credential Cracking and Correlation
Threat actors cross-reference leaked email addresses against breach databases from other platforms. If an employee reuses passwords across a webinar platform, a personal email account, and their corporate login, one compromised password unlocks all three.
Weaponization
Working credentials are packaged into "target profiles" that include the employee's name, title, reporting structure, vendor relationships, recent projects, and validated login credentials. These profiles are sold to attackers who specialize in spear-phishing campaigns against financial institutions.
This pipeline runs continuously. The ITRC reports that while total breach volume declined slightly in 2025, the number of individuals affected actually increased, meaning each breach is capturing larger, more complete data sets. Attackers are getting more selective and more efficient.
For credit unions, banks, and mortgage companies, the pipeline creates a compounding problem. A single breach at one vendor can expose credentials that unlock access to dozens of institutions downstream. When Marquis Software Solutions was breached through a SonicWall firewall vulnerability in August 2025, attackers accessed data from 74 banks and credit unions and more than 780,000 individuals, all through one compromised vendor.
The Reconnaissance Playbook: From LinkedIn to Loan Files
Stolen credentials are just the starting point. What separates a mass-spray phishing campaign from a targeted attack on your institution is reconnaissance, the hours an attacker spends building a profile of your organization, your employees, and your vendors before sending a single email.
The financial services sector absorbs 27.7% of all phishing attempts globally. That targeting isn't random. Attackers invest in reconnaissance because the payoff from a successful attack on a credit union, bank, or mortgage company far exceeds what they'd extract from a retailer or manufacturer.
What Attackers Find Publicly
- Employee names, titles, and reporting structure (LinkedIn)
- Vendor relationships and technology stack (conference posts, case studies)
- Project milestones and closing dates (social media)
- Office locations, badge photos, desk setups (Instagram, X)
- Email format patterns (firstname.lastname@domain)
What That Information Unlocks
- Spear-phishing emails addressed by name with correct job context
- Fake vendor invoices referencing real technology and real projects
- Wire transfer requests timed to actual closing dates
- Physical security bypass (tailgating using recognized faces)
- Credential stuffing targeted at confirmed email addresses
A loan officer posts on LinkedIn about closing a record quarter. A processor mentions switching to a new document management system. An underwriter shares a photo from a team offsite with their badge visible. Each piece is harmless in isolation. Combined, they give an attacker enough context to craft a phishing email that feels completely legitimate, because it references real people, real projects, and real vendor relationships.
This is the technique that drove Babatunde Ayeni's $19.6 million BEC scheme, which targeted 231 real estate closings between 2020 and 2024. Ayeni's team didn't hack firewalls. They phished title company employees, monitored closing communications, and sent fraudulent wire instructions at exactly the right moment, when a real closing was happening and everyone expected a wire transfer request. For a deeper look at how those messages slip past inbox defenses, see our companion piece on email security for mortgage lenders, stopping wire fraud and BEC attacks at the closing table.
The Wells Fargo Insider: 200,000 Records Sold in Days
Not every data breach starts with an external attacker. In September 2025, a former Wells Fargo employee was identified as the source of 200,000 customer records that appeared for sale on the Dread Forum, one of the largest dark web marketplaces.
Wells Fargo Insider Data Theft
A former employee sold 200,000 customer records, including SSNs, bank account numbers, and routing numbers, on the Dread Forum. The records were packaged as "premium fullz" and sold within days. Buyers had complete identity profiles: enough to open accounts, redirect deposits, and file fraudulent tax returns.
Sources: Kaduu, DarknetSearch, multiple security researchers
The Wells Fargo case illustrates a category of risk that perimeter defenses can't address. The data wasn't exfiltrated through a firewall breach or a phishing campaign. It walked out the door with someone who had legitimate access. And because the employee had left the organization before the theft was discovered, the exposure window stretched months before anyone noticed.
FinWise Bank faced the same pattern when a former employee continued accessing customer data for two years after termination, compromising 689,000 American First Finance customer records. The breach wasn't discovered until May 2024, long after the data had been harvested.
| Incident | Date | Records Exposed | Attack Vector | Detection Time |
|---|---|---|---|---|
| Mr. Cooper | Oct 2023 | 14.7 million | Network intrusion | Days |
| LoanDepot | Jan 2024 | 16.6 million | Ransomware | Days |
| Marquis Software | Aug 2025 | 780,000+ | SonicWall vulnerability | Weeks |
| Wells Fargo (insider) | Sep 2025 | 200,000 | Former employee | Months |
| FinWise Bank (insider) | 2022 to 2024 | 689,000 | Former employee (2 years) | 2+ years |
| SRP Federal CU | Sep to Nov 2024 | 240,000 | Ransomware | 2 months |
These numbers tell a clear story: financial institutions of every size are targets. The common thread isn't the sophistication of the attack. It's the gap between compromise and detection. Weeks. Months. In FinWise Bank's case, more than two years.
The question for credit unions, banks, and mortgage companies isn't whether stolen credentials with your domain name exist on the dark web. It's whether you're monitoring for them before attackers use them.
Breaking the First Link in the Kill Chain
Every incident in this article shares a root cause: credentials that were exposed, stolen, or misused, and nobody knew until the damage was done. This is the first link in the cyber kill chain, and it's where prevention delivers the highest return.
The controls that break this link aren't theoretical. They're deployed across the Microsoft 365 environment that most financial institutions already pay for:
Leaked credential detection and automated response. M365 Guardian leverages Microsoft Entra ID Protection's leaked credential detection, which continuously checks user password hashes against known breach databases, public paste sites, and credentials surfaced by Microsoft's threat intelligence teams and law enforcement partnerships. When a match is found, risk-based Conditional Access policies automatically force a password reset and MFA challenge before the compromised credential can be exploited. If Mr. Cooper's third-party vendors had this detection and auto-remediation in place, downstream exposure from their breach would have been identified and contained faster.
Entra ID configuration and Conditional Access. Block legacy authentication protocols that bypass modern controls. Enforce device compliance requirements. Restrict access from unmanaged devices and suspicious locations. These policies stop credential stuffing attacks even when the attacker holds a valid password, because the password alone isn't enough.
Automated privilege access reviews. The Wells Fargo and FinWise Bank insider breaches both exploited access that persisted after the employee left. Automated access reviews in Entra ID flag dormant accounts and unused elevated permissions. Guardian's hardening protocols include service account auditing and regular privilege reviews.
Password policy enforcement and credential hygiene. The FTC Safeguards Rule requires mortgage lenders to implement multi-factor authentication for anyone accessing customer information. But MFA without credential hygiene leaves gaps. Password reuse across platforms, weak hashes from legacy systems, and shared service accounts all create exposure that MFA alone doesn't cover.
Inside the M365 Guardian Stack: Defender and Sentinel
Breaking the kill chain is not one product. It is a coordinated set of Microsoft 365 services, configured for financial-institution risk and watched continuously. ABT operates as a Tier-1 Microsoft Cloud Solution Provider, which means we manage your Microsoft 365 tenant under delegated admin and host the Azure subscriptions that anchor your security telemetry. M365 Guardian sits on top of that footing as our operating model for credit unions, banks, and mortgage companies. Three Microsoft services do the heavy lifting underneath it, and each one closes a different gap that the breaches above kept open for days, weeks, or years.
Microsoft Defender is the prevention and detection layer at the endpoint, the inbox, and the identity edge. Defender for Office 365 inspects every inbound message for credential-harvesting links and attachment-borne malware, the techniques behind 27.7% of phishing attempts globally targeted at financial services. Defender for Endpoint hunts for the file activity that follows a successful phish, the staged exfiltration that drained Mr. Cooper for days before anyone noticed traffic anomalies. Defender for Identity watches for the on-premises and hybrid signals that say "an attacker is escalating privilege right now," the pattern that surfaces in insider abuse cases like Wells Fargo and FinWise Bank. M365 Guardian configures the Defender suite to a vertical baseline that has been hardened against 750+ financial institutions of attempted intrusion, then tunes it for the specific LOS, core banking system, and document workflows you actually run.
Microsoft Sentinel is the SIEM and SOAR layer that closes the gap between alert and action. Sentinel ingests signals from Defender, Entra ID, Microsoft 365 audit logs, Azure resources, and the third-party systems your institution depends on. It correlates a Defender for Identity anomaly against an Entra ID risky-sign-in event against a Defender for Endpoint binary execution, and surfaces the chain as a single incident rather than three disconnected pings. The Marquis Software supply-chain breach that exposed 780,000 records through 74 downstream institutions is exactly the pattern Sentinel detection rules are built to catch, because a correlated cross-tenant signal beats a single firewall alert every time. M365 Guardian ships Sentinel automation runbooks tuned for financial-institution incident response, including auto-isolation of compromised mailboxes, automated session revocation through our Tokenator integration, and conditional-access policy lockdown that contains an insider account in minutes instead of months.
ABT deploys this stack across 750+ credit unions, banks, and mortgage companies, with no third-party MSP platforms layered on top to add their own supply-chain risk. When ConnectWise was breached in February 2024 and again in May 2025, our customers had zero exposure, because the attack surface simply did not exist. That is what a managed Microsoft 365 tenant looks like when it is operated by a Tier-1 CSP whose only customer profile is financial services.
Kill Chain Status, Part 1 of 4
[RECON >>>] Phish > Breach > Heist
You've seen how the kill chain starts: stolen credentials, dark web markets, and patient reconnaissance. In Part 2: The Phish, those stolen credentials become the foundation for AiTM attacks that bypass even multi-factor authentication, and the real-world BEC schemes that have drained $19.6 million from mortgage closings.
Frequently Asked Questions
Microsoft Entra ID Protection includes leaked credential detection that continuously checks user password hashes against known breach databases, public paste sites, and credentials surfaced through Microsoft's threat intelligence partnerships with law enforcement. When a match is found, risk-based Conditional Access policies can automatically force a password reset and MFA challenge before the compromised credential is exploited. For financial institutions handling sensitive borrower data, this early warning system catches stolen passwords before they become the first link in an attack chain. M365 Guardian from ABT configures and monitors these Entra ID Protection signals as part of the broader Microsoft 365 security environment, ensuring alerts are acted on immediately rather than buried in a log.
Over 80% of hacking-related breaches involve stolen or weak credentials, according to Verizon's Data Breach Investigations Report. The financial services sector absorbs 27.7% of all phishing attempts globally, making credit unions, banks, and mortgage companies among the most targeted industries. The FBI's IC3 reported over 859,000 internet crime complaints in 2024 with losses exceeding $16 billion, and business email compromise (which relies on stolen credentials) accounted for $2.8 billion of those losses.
Financial institutions store some of the most sensitive personal and financial data available: Social Security numbers, bank account details, tax returns, employment records, and complete credit histories. This data retains value for years on the dark web. When Mr. Cooper was breached in October 2023, attackers accessed records dating back to 2001. A stolen mortgage "fullz" record (SSN, bank account, address, and employment data) sells for $30 to $80 on underground forums, compared to $5 to $15 for a basic credit card number. The combination of high-value data, complex vendor relationships, and regulatory pressure makes credit unions, banks, and mortgage companies prime targets.
The updated FTC Safeguards Rule requires financial institutions to designate a qualified individual to oversee security, conduct documented risk assessments, implement multi-factor authentication for all system access, encrypt data at rest and in transit, perform regular penetration testing, and maintain a written incident response plan. Institutions must also report breaches affecting 500 or more consumers to the FTC within 30 days of discovery. For mortgage lenders specifically, these requirements apply to anyone with access to customer information, including third-party servicers and vendors.
Every third-party tool in your security stack adds attack surface. When ConnectWise ScreenConnect was breached in February 2024 through a critical authentication bypass vulnerability (CVSS 10.0), MSPs using the platform exposed their downstream clients to Play and LockBit ransomware. ConnectWise was breached again in May 2025 by a nation-state actor. A pure Microsoft stack using Microsoft Entra ID, Microsoft Defender, Microsoft Purview, and Microsoft Sentinel eliminates the MSP platform supply chain entirely. ABT serves 750+ financial institutions on this architecture, which meant zero client exposure during both ConnectWise breaches.
Microsoft Defender is the prevention and detection layer that watches the endpoint, the inbox, and the identity edge. Defender for Office 365 inspects inbound mail, Defender for Endpoint inspects file and process activity on managed devices, and Defender for Identity inspects on-premises and hybrid identity signals. Microsoft Sentinel is the SIEM and SOAR layer that ingests Defender alerts alongside Entra ID, Microsoft 365 audit logs, Azure telemetry, and third-party signals, then correlates them into single incidents and triggers automated runbooks. M365 Guardian from ABT configures both services to a financial-institution baseline, tunes detection rules for credit-union, bank, and mortgage-company workflows, and operates the response runbooks so alerts result in action rather than dashboards.
