The mortgage industry has a credential problem.

In the eighteen months between October 2023 and early 2025, more Americans had their mortgage data exposed than in the preceding decade combined. The companies involved were not fringe operators. They were some of the largest and most established names in the industry. And in case after case, the entry point came back to the same fundamental vulnerability: inadequate authentication protecting access to systems containing vast stores of nonpublic personal information.

 

This is a timeline of what happened, what it cost, and what it reveals about where the mortgage industry’s security posture actually stands.

 

What Happened: The Mortgage Industry Breach Timeline

 

The breach wave that started in late 2023 was not random. It reflected a deliberate targeting pattern by ransomware and extortion groups that had identified mortgage companies as high-value, relatively accessible targets.

 

October 2023: Mr. Cooper (14.7 Million Customers)

 

On October 30, 2023, Mr. Cooper Group, then the largest non-bank mortgage servicer in the United States, identified unauthorized access to its systems. The company shut down its IT infrastructure, including its online payment portal, leaving millions of customers unable to make mortgage payments for weeks.

 

Forensic investigation revealed that attackers had maintained access to Mr. Cooper’s systems for at least two days before detection. In that window, they accessed files containing the personal information of 14.7 million current and former customers. The compromised data included names, addresses, phone numbers, Social Security numbers, dates of birth, and bank account numbers, covering customers dating back to 2001.

 

Mr. Cooper’s direct response costs exceeded $25 million. A class action lawsuit representing 22 plaintiffs documented specific harm to affected customers, including fraudulent credit card applications, a $25,000 withdrawal from one customer’s investment account, and waves of identity theft attempts in the months following the breach.

 

January 2024: LoanDepot (16.9 Million Customers, $86.6 Million Settlement)

 

On January 4, 2024, LoanDepot, the fifth-largest retail mortgage lender in the United States, identified a cybersecurity incident. The company took multiple systems offline, disrupting mortgage origination and servicing operations for weeks. The ALPHV/BlackCat ransomware gang later claimed responsibility.

 

The LoanDepot breach affected 16.9 million individuals, including a significant number of people who had no direct relationship with the company but whose data had been collected through third-party relationships. Many breach notification recipients reported never having interacted with LoanDepot.

 

The breach led to the largest mortgage data breach settlement in history at the time: $86.6 million. Direct response costs added another $27 million. The company’s stock declined significantly, and its reputation within the originator community suffered lasting damage.

 

Late 2023: Fidelity National Financial (1.3 Million Customers)

 

Fidelity National Financial, one of the largest title insurance companies in the United States, disclosed a cybersecurity incident in November 2023 that took its systems offline for several days. The ALPHV/BlackCat group, the same organization responsible for the LoanDepot attack, claimed responsibility. Approximately 1.3 million customers had personal data compromised.

 

2023 to 2024: First American Financial (20 Million+ Records at Risk)

 

First American Financial, another major title insurance provider, disclosed a significant data vulnerability affecting mortgage transaction records. The company’s prior 2019 vulnerability, which exposed over 800 million documents containing mortgage transaction data, had drawn regulatory attention. The 2023 to 2024 period saw additional security incidents that kept the company under heightened scrutiny.

 

2024: McLean Mortgage Corporation

 

McLean Mortgage Corporation, a Virginia-based lender founded in 2008, was hit by the Black Basta ransomware group in October 2024. The company disclosed that 30,453 individuals had data compromised. The company subsequently appears to have ceased operations, demonstrating that for smaller lenders, a major breach is not a recoverable setback but potentially an existential event.

 

What Mortgage Company Hacks in 2023, 2024, and 2025 Have in Common

 

Looking across the breach timeline, the pattern is consistent and instructive.

 

The Data Profile Is Uniquely Valuable

 

A mortgage loan file contains more personally identifiable and financially sensitive information than almost any other document in a consumer’s financial life. Social Security numbers, income documentation, tax returns, bank account numbers, employment history, and property records, all consolidated in a single file. That data has a long shelf life for fraud.

 

Cotality, formerly CoreLogic, has documented how mortgage data stolen in breaches continues to enable fraud and identity theft for years after the initial incident. A compromised loan file from 2023 can still fund a fraudulent mortgage application in 2026.

 

Authentication Gaps Are the Entry Point

 

While the specific initial access vectors in the major mortgage breaches have not all been publicly disclosed, the general attack pattern is well established: attackers gain initial access to mortgage company systems through compromised credentials, exploit weak or phishable authentication to move laterally, and then either exfiltrate data directly or deploy ransomware to maximize extortion leverage.

 

For mid-market lenders specifically, the authentication posture has lagged behind the threat environment. Most have deployed MFA in response to the FTC Safeguards Rule, but many have deployed the phishable variety: SMS one-time passwords or authenticator app codes that can be captured in real time by adversary-in-the-middle attack tools that cost less than $200 to deploy.

 

Mid-Market Lenders Are Next

 

The breaches that made headlines involved large companies with significant resources and high public profiles. But the targeting pattern has not stayed at the top of the market. Organized ransomware and extortion operations have explicitly expanded their targeting to mid-market mortgage companies, specifically firms in the 50 to 500 employee range, that hold significant data but are less likely to have invested in identity infrastructure beyond the regulatory minimum.

 

For a 200-person non-bank mortgage originator, the calculus is stark. The IBM Cost of a Data Breach 2025 report puts the average financial services breach cost at $6.08 million. For a company of that size, that figure is not a quarterly earnings impact. It is potentially the end of the business.

 

What the Breach Timeline Reveals About the FTC Safeguards Rule

 

The 2021 amendments to the FTC Safeguards Rule, effective June 2023, were explicitly designed to address the growing credential threat in non-bank financial services. The rule requires MFA for any access to systems containing customer information. It requires written information security programs, risk assessments, and incident response plans.

 

What the rule cannot require, and what the breach timeline reveals, is that minimum compliance is insufficient in the current threat environment. Every company in the breach timeline above was operating under some version of an information security program. The gap was not the absence of controls. It was the adequacy of those controls against the attacks actually being used.

 

Phishable MFA, specifically SMS codes and OTP-based authenticator apps, meets the FTC Safeguards Rule minimum. It does not stop adversary-in-the-middle attacks, credential stuffing, or MFA fatigue-based push notification attacks. The distinction matters enormously when regulators are assessing whether a security program was reasonably designed to address anticipated threats.

 

CISA had published guidance on AiTM attacks by 2022. Any information security program designed after that date that relies on SMS OTP for LOS access will face scrutiny about whether it addressed a documented, foreseeable threat.

 

What Protection Against This Attack Pattern Looks Like

 

The breach timeline points clearly to what mid-market mortgage lenders need to address:

 

First, phishing-resistant authentication for all LOS and system access. FIDO2/WebAuthn-based passwordless authentication removes the credential from the attack surface entirely. There is no password to phish. There is no OTP to intercept. The attack vector that enabled the majority of the breaches in the timeline above simply does not work against FIDO2-protected systems. (BlokSec’s passwordless implementation goes beyond the FIDO2 spec by eliminating a central repository of credentials, increasing security.) 

 

Second, audit logging that satisfies regulatory requirements. GLBA, FTC Safeguards Rule, and NYDFS Part 500 all require evidence of MFA enforcement and access monitoring. Modern passwordless platforms generate the audit trail that compliance requires.

 

The mortgage industry has seen what inadequate authentication costs. The data is public, the dollar figures are documented, and the attack pattern is understood. The question for security leaders at mid-market lenders is whether their current authentication posture would have held against the attacks that hit Mr. Cooper, LoanDepot, and McLean Mortgage, and whether they want to find out the hard way.