Mr. Cooper logo

Mr. Cooper leaks personal data of 14 million loan and mortgage customers

A major mortgage and loan company based in Dallas, working under the name Mr. Cooper Group Inc. has released more information on a recent breach. In a data breach notification, the company didn’t say what type of cyberattack caused the compromise of customer data, calling it a rather non-descriptive “External system breach (hacking).”

For those unfamiliar with the name, Mr. Cooper is a rebranding of Nationstar Mortgage, and reportedly some 14.7 million homeowners may be affected by the data breach.

A month ago, in November 2023, the company stated that the number of affected customers was limited to around 4 million, because banking information related to mortgage payments is hosted with a third-party provider, whose systems were believed not to be compromised.

As it turns out, all current and former customers, amounting to over 14 million people had their personal data stolen. Mr. Cooper shut down multiple systems after it discovered the cyberattack on October 31, 2023 and started its investigation.

The data accessible during the attack included the names, addresses, phone numbers, Social Security numbers, dates of birth, and bank account numbers of Mr. Cooper’s customers.

One the page dedicated to the incident, Mr. Cooper states:

“To help support our customers, we are offering two years of free credit monitoring and identity protection services through TransUnion to any former or current (as of Oct. 31, 2023) Mr. Cooper customer or customers whose loans we service on behalf of our servicing partners. We will be directly notifying customers and providing them with enrollment instructions for the free identity protection services.”

Mr. Cooper says it is actively monitoring the dark web without any evidence that the data related to this incident has been further shared, published, or otherwise misused. This may however change if it turns out that any ransomware demands are made and not met. At some points the data thieves may want to cash in for the stolen data.

Data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

  • Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
  • Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
  • Enable two-factor authentication. Where possible, use a FIDO2 2FA device. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
  • Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
  • Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
  • Consider investing in an identity monitoring solution which will alert you if your personal information is found being illegally traded online, as well as help you recover.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.


Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.