Mr. Cooper data breach: what customers should know and how to secure your financial information

Mr. Cooper Group, the largest mortgage servicer with 10.9% market share and 6.7 million customers, faced a massive security incident in October 2023. Mr. Cooper data breach impacted 14.7 million people, past customers included.

The growing number of cyberattacks targeting major firms in the industry–including Mr. Cooper Group, Fidelity National Financial, loanDepot, and others–reveal the need for stronger data safeguards for both organizations and mortgage customers they serve. After all, mortgage-related data breaches are a great risk to your financial security.

In this article, we’ll explore the Mr. Cooper security breach details and share practical tips to secure your information.

What happened in the Mr. Cooper data breach?

Timeline of the Mr. Cooper mortgage cyber attack

The Mr. Cooper data breach lasted for three days. The timeline of the incident is as follows:

• Date(s) breach occurred: October 30, 2023
• Date(s) breach discovered: November 1, 2023

After the breach was discovered, the company shut down its systems to stop the loss of personal data and initiated a forensic investigation. The official report released on November 2, confirmed that unauthorized access to some of Mr. Cooper’s systems had exposed personal information of nearly all current and former customers. In late December of the same year–less than two weeks after the massive  data breach–the Cybernews research team discovered that Mr. Cooper left an open Google Cloud instance, which exposed additional sensitive data to the public. While this publicly accessible data didn’t include the information leaked in the earlier Mr. Cooper breach, it suggests that the incidents were unrelated and highlighted more gaps in the company’s security practices. 

What data was stolen and why is it dangerous?

• Names
• Addresses
• Phone numbers
• Social Security numbers
• Dates of birth
• Bank account numbers

Here’s a breakdown of why each type of data matters and what criminals can do with it:

As CBS17 reported, cybersecurity professionals raised concerns that “it’s a data breach with a lot of sensitive information,” emphasizing that it included “everything important to your identity.”

The Federal Trade Commission (FTC) warns that when breaches involve Social Security numbers and bank account information, the risk for identity theft is especially high. Similarly, the Identity Theft Resource Center (ITRC) highlights that such information can circulate on the dark web for years, leaving victims vulnerable long after the initial breach.

These expert insights confirm that when Mr. Cooper was hacked, the damage wasn’t just technical. On the contrary, the breach created a long-term identity risk for millions of consumers.

Who was affected?

The Mr. Cooper mortgage cyber attack affected a total of 14.7 million people. Roughly 4 million of them were current customers of the company, the rest 10.7 million were past customers and loan applicants. Even customers from many years ago were affected.

As one Reddit user who got the Mr Cooper data breach notification noted: “This was so odd to me [to get the letter] as the last time I applied for a mortgage was 2005 and I haven’t had a mortgage since 2010 when I paid off my house. Why the hell are they still storing my social security number after almost 14-19 years? That’s all just so wrong. That data should’ve been archived a long time ago.”

How Mr. Cooper addressed the security breach

After detecting the technology systems of Mr. Cooper hacked, the company shut down its systems, changed account passwords, and restored the systems with updated safeguards. They started a forensic review–including the dark web monitoring for further data leaks–and engaged with law enforcement and regulators to identify the causes of the incident. Additionally, Mr. Cooper set up a dedicated call center for addressing customer concerns.

Further, Mr. Cooper sent letters notifying customers about the breach. The key actions they offered to manage the incident and address customer concerns included:

• Two years of free credit monitoring with TransUnion.
• Proactive fraud assistance from Cyberscout for customers who may become victims of identity theft or fraud

The company took responsibility for the breach: “We take our role as a mortgage company very seriously, and there is nothing more important to us than maintaining our customers’ trust. I want you to know how sorry I am for any concern or frustration this may have caused. Making the homeownership journey as smooth as possible is our top priority, and we intend to make this right for our customers,” Mr. Cooper Group Chairman and CEO Jay Bray said in an official statement. 

Customer reactions to Mr. Cooper security breach

The Mr. Cooper data breach caused a significant public fallout due to its scale and severe risks involved. Frustrated and concerned customer reactions surfaced across platforms like Reddit where many people questioned the safety of their data with Mr. Cooper.

Some users were sceptical about the free credit monitoring services Mr. Cooper offered through TransUnion. Others were outraged by the delays in receiving official data breach notices by mail, arguing that the late alerts put them at an even greater risk. One Reddit user shared: “What really pisses me off further about this is the fact that my wife and I literally received this yesterday and it was dated Dec 23, i understand the holiday mail delays, but then compound this with the […] Postal Service here in Houston that has been having some serious delays as of late, this is absolutely ridiculous.”

Eventually, Mr. Cooper faced a class action lawsuit filed in the federal court in Dallas, Texas. The company was accused of not protecting its customers’ data enough and allowing cybercriminals to gain unauthorized access to it.

Why mortgage and financial data breaches are a serious threat

Mortgage and financial service providers are frequent targets for cybercriminals because of  large amounts of sensitive personal and banking details they store about their customers. Data, such as that stolen in the Mr. Cooper data breach–names, addresses, phone numbers, Social Security numbers, dates of birth, and bank account numbers,–create a dangerous combination.

It gives cybercriminals nearly all the information they need to commit  serious fraud. The key risks include:

• Identity theft, e.g. opening credit cards, loans, or even filing false tax returns in your name. 
• Phishing attacks in which bad actors are using your data to craft convincing emails or messages that trick you into giving away more sensitive info.
• Targeted impersonation scams where cybercriminal are pretending to be you or someone from your mortgage company to manipulate others.
• Financial fraud, like gaining access to your bank account and authorizing transactions.
  

How to check If your data was compromised

If you’re wondering whether your data was affected in the Mr. Cooper breach, the first step would be to check for an official data breach notification letter sent by the company.

However, if you did not receive a letter but still suspect you may have been impacted, here are additional steps you can take:

Dark web monitoring

Monitoring platforms like databreach.com or haveibeenpwned.com analyze hundreds of database dumps and pastes for leaked data. You can use these website to check if your SSN or your email address have been leaked or subscribe for automatic notifications sent to you if your details appear in online databases.

Checking for unusual activity on your accounts and credit reports

If your data is compromised in the Mr. Cooper mortgage cyber attack or a similar breach involving highly sensitive personal and financial data, there is a good chance that bad actors will try to access your online accounts, such as mortgage portals and online banking. Monitor your accounts for any unauthorized activity, credit inquiries, or unexpected changes to detect if you are at risk.

In addition, visit annualcreditreport.com to access your free reports from Equifax, Experian, and TransUnion to make sure nothing suspicious is going on there. 

Understanding data breach notifications

Lastly, if you fall victim to a breach, it might be helpful to know how to understand breach notifications. If you received one, pay close attention to the following details:

• What types of data were compromised;
• What protective measures you are advised to take;
• What services or assistance you can get to address breach consequences.

What you should do immediately to protect your financial information after a breach like Mr. Cooper

If your data was exposed, there are a few things you should do immediately to safeguard yourself.

Freeze your credit with all 3 bureaus

A security freeze on your credit report  doesn’t let anyone see it or open any new cards or credit lines in your name. To freeze your credit, you need to contact each of the three major agencies–Equifax, Experian, and TransUnion–and make a freeze request. You can do it online, by phone, or via mail.

Set up fraud alerts

Fraud alerts are special notes placed on your credit report, notifying potential creditors about data compromise and requiring them to verify your identity more meticulously before providing new credit lines, cards, or increasing limits. You can place them with the three credit reporting agencies by phone or online.

Regularly review your financial statements

Check your bank and credit card statements on a regular basis to look out for any suspicious activity, such as unauthorized access or transactions, new cards issued, and new credit lines opened. If you notice any suspicious activity, contact your financial institution instantly.

Change passwords and enable two-factor authentication (2FA)

To minimize the likelihood of unauthorized access to your accounts, change your current passwords for strong ones–do this for your online banking, mortgage portals, and email. Additionally, enable 2FA for additional identity verification during every access attempt.

How to protect your privacy and financial information in the long run

Unfortunately, incidents like Mr. Cooper data breach are not rare. As more and more cybercriminals target all types of organizations, including mortgage and financial institutions, you may not be able to prevent them. However, there are ways to avoid potential threats and safeguard yourself better.

Prevent risks by reducing your personal data exposure

Your digital footprint is made of all the information you share on the internet, intentionally or not. To strengthen your safety, it’s important to become more mindful of what you post and where:. 

• Do not share personal data like birthdays, locations, and other details on social media and other channels.
• Regularly clean up your old accounts, unsubscribe from unused services, and delete outdated profiles to reduce your overall exposure. The smaller your digital footprint, the harder it becomes for bad actors to exploit your information.

Also, consider using services like Onerep to automatically remove your personal information from data brokers–websites that expose your personal information without your permission. Onerep scans 210+ broker sites to find where your information is listed, requests opt-outs and verifies removals from all websites where your personal details were detected. This helps to significantly reduce your online exposure and minimize privacy risks.

Consider identity theft protection

Unlike Onerep, identity theft protection services don’t prevent ID theft, but they are useful when it happens. They will help you by freezing your credit, liaising with banks, assisting with accounts restoration, and offering insurance against potential losses. 

Keep records of any breach notices or fraud for future legal claims

If you happen to be a victim of a data breach, it’s important to keep records of any official breach notices or fraud attempts/cases that you face. These records can help you support future legal claims or investigations and provide evidence of the incident that you had to deal with.

Educate yourself about online threats and learn how to avoid phishing scams

Incidents like Mr. Cooper security breach provide bad actors with the information they need to commit fraud or identity theft. However, sometimes, you may give them your personal and financial data  willingly, by falling for a phishing scam. That’s why it’s essential to educate yourself about these common online threats and never share your sensitive information like Social Security numbers, passwords, or bank details via phone or the internet.

FAQs

What should I do if my information was exposed in the Mr. Cooper breach?

Start by confirming that your data was compromised by reviewing official breach notices or using dark web monitoring tools. If data compromise is confirmed, freeze your credit (if possible) and set up fraud alerts with all 3 major agencies, change your old passwords, enable 2FA, and carefully monitor your accounts for any suspicious activity.

How do I know if my mortgage data is at risk?

First of all, recognize that no one is immune to cyberattacks, and even large and trusted companies can become targets of cybercriminals. To assess if your mortgage data is at risk, keep an eye on any official breach notices from your servicer and regularly monitor your bank and credit reports for any suspicious activity. Additionally, don’t forget to safeguard yourself by using strong, unique passwords and by staying wary of phishing attempts.

Can I remove my personal information from the internet?

Yes, you can do it by removing your information from data broker sites that collect your data from across the web and organize it in compelling profiles for the sake of selling them later. According to the law, data brokers are obliged to delete your profile upon request, after which it also gets removed from Google. While this process can be very time-consuming if done manually, Onerep offers automated data removal so you can save time and effort to focus on the important things. The platform looks for your data in 210+ broker sites and sends opt-out requests to remove your information from the public web to  minimize your online risks.