Avvo 2019 Data Breach
ObscureIQ Breach Intelligence
Moderate SeverityWebsite / service breach
Avvo Online Legal Marketplace Breach (2019): 4.1 Million User Accounts Including Passwords Exposed
Online legal services marketplace.
Verified by ObscureIQ Intelligence
55/100Breach Risk Index
25Data Value
25Market Recency
439dSince Breach
Breach Intelligence Summary
Entity: Avvo · Actor: Unknown · Sources: 7 references
Attack: Misconfiguration
Profile: Platform · Legal services marketplace · Lawyer directory and client matching platform · USA
Timeline: Breach (2019-12-17) · Indexed (Feb 12, 2025) · Year (2019)
Exposure: 4.1M records · 2 fields: Email Address, Password
Status: Confirmed
Executive Summary
Avvo, a U.S.-based online legal services marketplace and lawyer directory, suffered a data breach that came to public attention in approximately December 2019 when an alleged dataset of Avvo user accounts was published to an online hacking forum. The dataset was subsequently used in extortion campaigns targeting affected users, with users receiving 'you've been hacked' extortion emails to email addresses that they had used exclusively for their Avvo accounts. The breach was reported to Have I Been Pwned in 2022 after a user identified the extortion pattern and alerted Troy Hunt. Hunt attempted to disclose the breach to Avvo over the course of a week without receiving any response. The dataset's authenticity was eventually verified by correlating the records with HIBP subscribers' confirmed Avvo accounts, and the breach was indexed by HIBP and Mozilla Monitor on April 15, 2022. The original date of the underlying compromise is uncertain and may date back earlier than December 2019. The breach affected approximately 4.1 million user accounts based on records indexed by Have I Been Pwned, with 4,101,101 unique email addresses verified. Compromised fields included email addresses and SHA-1-hashed password values. SHA-1 hashing is a deprecated cryptographic algorithm that is significantly weaker than modern bcrypt, scrypt, or Argon2 hashing and is increasingly vulnerable to GPU-accelerated brute-force cracking. The hash format suggests the underlying password values are recoverable for many users, particularly those who chose short or commonly used passwords. For affected users, the practical risk profile combines credential-reuse exposure with legal-services-specific reputational risk. The combination of email address and recoverable password value supports credential-stuffing attacks against other accounts where the same password was reused. More distinctively, inclusion in the Avvo dataset confirms that the user has interacted with a legal-services marketplace, which can support targeted phishing referencing legal questions, attorney consultations, or potentially sensitive case categories. The dataset has been actively used in extortion campaigns targeting users at Avvo-specific email addresses, with extortion emails claiming fictional compromise of devices and demanding cryptocurrency payment. Affected users who receive extortion emails should not pay ransom demands as the emails typically rely on the email-address exposure for credibility rather than any actual device compromise. Users should change any reused passwords on other accounts, enable two-factor authentication where available, and treat unsolicited contact referencing Avvo, attorney consultations, or legal questions with caution. The active use of the dataset in extortion campaigns means affected users should expect ongoing exposure rather than a time-limited incident.
ObscureIQ assessment: High sensitivity. Exposure can reveal legal concerns, enable phishing or attorney impersonation, and create reputational risk tied to sensitive case interests.
Breach Impact
The institutional impact on Avvo has been limited because of the company's lack of public response and the absence of formal regulatory action. Civil litigation has been minimal. The reputational impact within the legal-services marketplace category has been modest, although Troy Hunt's published account of Avvo's unresponsiveness to breach-disclosure attempts has been cited in security commentary about disclosure failures and corporate breach-response practices. The case has not generated formal regulatory or industry action, despite the active use of the dataset in extortion campaigns targeting affected users.
About Avvo
Avvo is a U.S.-based online legal services marketplace and lawyer directory that connects consumers seeking legal services with attorneys and provides public profile pages for individual lawyers. Headquartered in Seattle, Washington and founded in 2006, Avvo operates as a referral and reputation platform with attorney ratings, peer endorsements, client reviews, and a question-and-answer service through which users can submit legal questions for attorneys to answer publicly. As an account-based legal-services marketplace, Avvo maintains substantial user account data including consumer identity, attorney profile records, legal-question submissions, attorney-client matching records, and login credentials tied to legal-services discovery and matching workflows.
Why They Hold Your Data
Legal-services marketplaces collect client identity, inquiry details, attorney relationships, contact records, case-interest signals, and messaging tied to legal search and matching workflows.
Recent Developments
The Avvo breach surfaced publicly in early 2022 when Have I Been Pwned subscribers began receiving extortion emails to their Avvo-specific email addresses, indicating the dataset was being actively used in extortion campaigns rather than merely circulating among breach-trading communities. Have I Been Pwned founder Troy Hunt published a detailed blog post in April 2022 documenting the difficulty of disclosing the breach to Avvo, including multiple attempts over the course of a week that received no response. The breach was eventually verified by correlating the dataset with HIBP subscribers' confirmed Avvo accounts, and was indexed by HIBP and Mozilla Monitor on April 15, 2022. Avvo has not publicly detailed the original incident, the specific vulnerability that enabled the compromise, or post-incident security measures.
Data Points Exposed
2 verified field types
Email Address
Password Critical
Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.
Exploitation & Downstream Threats
Threat Activity:High
Primary downstream threats:
- Credential stuffing against reused passwords across other platforms
- Targeted phishing campaigns using exposed email addresses
Threat vectors:
- Phishing, credential stuffing & account takeover
- Credential stuffing & account takeover
Recommended Actions
If you believe your information may be included:
Change Reused Passwords
Update this account and anywhere you reused the password; use a manager.
Enable MFA Everywhere
Turn on multi-factor authentication on email first, then financial accounts.
Report & Recover
If you spot misuse, start an official recovery plan and report fraud.
Frequently Asked Questions
What happened in the Avvo breach?▾
Avvo, a U.S.-based online legal services marketplace and lawyer directory, suffered a data breach that came to public attention in approximately December 2019 when an alleged dataset of Avvo user accounts was published to an online hacking forum. The dataset was subsequently used in extortion…
What data was exposed?▾
Verified fields include Email Address, Password.
What should I do if I was affected?▾
Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.
Sources & References
Every claim on this page is traceable. This breach draws on:
Breach Index
Breach Index
Cross-source
9ghz
Cross-source
Dehashed
Cross-source
Keeper
Cross-source
leakfind
ObscureIQ Intelligence
ObscureIQ proprietary analysis
Protect Yourself
Check If You're Affected
Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.
Get Free Breach Alerts
Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.
High-Risk? Get an Exposure Audit
Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.
Request Consultation