Mr. Cooper leak exposes over two million customers


Mr. Cooper, a major US mortgage company, left an open Google Cloud instance exposing details of millions of its customers only two months after the company suffered a severe data breach.

America's third-largest mortgage servicer left details of its customers accessible to anyone willing to look, recent research from the Cybernews research team has revealed. Mr. Cooper's open Google Cloud storage bucket contained a trove of data, including marketing materials and site assets, but more importantly, names, loan numbers, and other data about its customers.

The team discovered the leak in late December 2023, less than two weeks after Mr. Cooper revealed it suffered a significant data breach in October 2023, which exposed the information of 14.6 million of the company's clients. However, the publicly accessible data discovered by the team does not include data exposed in the October breach, pointing to the incidents being unrelated.

After researchers contacted the company, Mr. Cooper closed the open Google Cloud instance and fixed the issue. We reached out to the company for official comment about the leak yet did not receive a reply before publishing this article.

What kind of Mr. Cooper data was leaked?

According to the team, the documents with personal customer data were likely used to track Mr. Cooper's push to adopt the "Paperless" feature, where customers are sent digital documents instead of printed ones.

The leaked data includes:

  • Names
  • Customer IDs
  • Loan numbers
  • Enrollment links for the Paperless feature
  • Email addresses
  • Phone numbers

The team discovered two kinds of sensitive files on the open instance: one type containing names and emails and another containing names and phone numbers. Files with names and emails had details on 1.7 million individuals, and files with names and phone numbers had data on 2.7 million individuals.

The leaked data also contained the names and phone numbers of other mortgage brand customers serviced by Mr. Cooper:

  • 207,672 United Wholesale Mortgage customers
  • 161,761 LakeView customers
  • 53,924 Veterans United customers
  • 37,384 USAA customers
  • 35,794 RightPath Servicing customers
  • 12,722 Wintrust Mortgage Customers
  • 3,778 Paddio Customers

Researchers warn that exposing personal details such as names, email addresses, and phone numbers could be misused for phishing attacks, doxxing, and distributing spam.

"Since the leak was discovered after the company reported a significant data breach, it may show that the company's reaction to the incident was insufficient and failed to identify sensitive resources that needed proactive attention," researchers said.

Additionally, some of the leaked details included "enrollment links," allowing the modification of some account settings without logging in. For example, malicious actors could use the flaw to enable the "Paperless" feature for users' loans.

"Permission to modify account settings without logging in is a poor security practice. While settings that could have been modified weren't sensitive in this case, this is a fundamental issue and could point to other weaknesses within the website's design," researchers said.

According to Mr. Cooper's website, the company has 4.3 million US customers and is the country's third-largest mortgage servicer. The company's revenue for 2022 stood at nearly $3 billion, and the company employed over 8,000 staff.


More from Cybernews:

Why are people returning their Apple Vision Pro headsets?

iPhone fraudsters facing jail after robbing Apple of $3M

ConnectWise critical bug exploited in wild escalates

Google releases Gemma lightweight AI open models

LockBit crackdown heats up as US offers reward for info on hackers

Subscribe to our newsletter



Leave a Reply

Your email address will not be published. Required fields are markedmarked