Avvo, a U.S.-based online legal services marketplace and lawyer directory, suffered a data breach that came to public attention in approximately December 2019 when an alleged dataset of Avvo user accounts was published to an online hacking forum. The dataset was subsequently used in extortion campaigns targeting affected users, with users receiving 'you've been hacked' extortion emails to email addresses that they had used exclusively for their Avvo accounts. The breach was reported to Have I Been Pwned in 2022 after a user identified the extortion pattern and alerted Troy Hunt. Hunt attempted to disclose the breach to Avvo over the course of a week without receiving any response. The dataset's authenticity was eventually verified by correlating the records with HIBP subscribers' confirmed Avvo accounts, and the breach was indexed by HIBP and Mozilla Monitor on April 15, 2022. The original date of the underlying compromise is uncertain and may date back earlier than December 2019.

The breach affected approximately 4.1 million user accounts based on records indexed by Have I Been Pwned, with 4,101,101 unique email addresses verified. Compromised fields included email addresses and SHA-1-hashed password values. SHA-1 hashing is a deprecated cryptographic algorithm that is significantly weaker than modern bcrypt, scrypt, or Argon2 hashing and is increasingly vulnerable to GPU-accelerated brute-force cracking. The hash format suggests the underlying password values are recoverable for many users, particularly those who chose short or commonly used passwords.

For affected users, the practical risk profile combines credential-reuse exposure with legal-services-specific reputational risk. The combination of email address and recoverable password value supports credential-stuffing attacks against other accounts where the same password was reused. More distinctively, inclusion in the Avvo dataset confirms that the user has interacted with a legal-services marketplace, which can support targeted phishing referencing legal questions, attorney consultations, or potentially sensitive case categories. The dataset has been actively used in extortion campaigns targeting users at Avvo-specific email addresses, with extortion emails claiming fictional compromise of devices and demanding cryptocurrency payment. Affected users who receive extortion emails should not pay ransom demands as the emails typically rely on the email-address exposure for credibility rather than any actual device compromise. Users should change any reused passwords on other accounts, enable two-factor authentication where available, and treat unsolicited contact referencing Avvo, attorney consultations, or legal questions with caution. The active use of the dataset in extortion campaigns means affected users should expect ongoing exposure rather than a time-limited incident.

Legal-services marketplaces collect client identity, inquiry details, attorney relationships, contact records, case-interest signals, and messaging tied to legal search and matching workflows.

The Avvo breach surfaced publicly in early 2022 when Have I Been Pwned subscribers began receiving extortion emails to their Avvo-specific email addresses, indicating the dataset was being actively used in extortion campaigns rather than merely circulating among breach-trading communities. Have I Been Pwned founder Troy Hunt published a detailed blog post in April 2022 documenting the difficulty of disclosing the breach to Avvo, including multiple attempts over the course of a week that received no response. The breach was eventually verified by correlating the dataset with HIBP subscribers' confirmed Avvo accounts, and was indexed by HIBP and Mozilla Monitor on April 15, 2022. Avvo has not publicly detailed the original incident, the specific vulnerability that enabled the compromise, or post-incident security measures.