CodeRED Alert Platform Shut Down Following Cyberattack TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsApplication SecurityPrompt Injections Loom Large Over ChatGPT's Atlas BrowserPrompt Injections Loom Large Over ChatGPT's Atlas BrowserbyAlexander CulafiNov 26, 20256 Min ReadVulnerabilities & ThreatsCritical Flaw in Oracle Identity Manager Under ExploitationCritical Flaw in Oracle Identity Manager Under ExploitationbyRob WrightNov 24, 20252 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificRecent in World See AllApplication SecurityLINE Messaging Bugs Open Asian Users to Cyber EspionageLINE Messaging Bugs Open Asian Users to Cyber EspionagebyTara SealsNov 21, 20257 Min ReadEndpoint SecurityChina's 'PlushDaemon' Hackers Infect Routers to Hijack Software UpdatesChina's 'PlushDaemon' Hackers Infect Routers to Hijack Software UpdatesbyNate Nelson, Contributing WriterNov 20, 20253 Min ReadThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryCyberattacks & Data BreachesCyber RiskThreat IntelligenceCybersecurity OperationsNewsCodeRED Emergency Alert Platform Shut Down Following CyberattackThe Inc ransomware gang took responsibility for the attack earlier this month and claimed it stole sensitive subscriber data.Rob Wright, Senior News Director, Dark ReadingDecember 1, 20254 Min ReadSource: M L Pearson via Alamy Stock PhotoA cyberattack on risk management provider Crisis24 earlier this month led the company to shut down its CodeRED emergency notification platform, sending shockwaves through city, county, and state government agencies amid the Thanksgiving holiday.The OnSolve CodeRED platform is a voluntary system that issues emergency notifications and alerts for city, county, and state government agencies, not to be confused with the federal-government-operated Emergency Alert Service (EAS). Customers use the platform to issue alerts to residents through phone calls, emails, and text messages in situations such as weather emergencies or outages to government services.In a disclosure published Wednesday, Crisis24 parent company GardaWorld Corporation said it suspended all access to the platform on Nov. 10 in response to a breach of the CodeRED environment. "As the OnSolve CodeRED platform was damaged during the cyberattack, we have decommissioned the platform," the statement read. "We have also confirmed that the incident was contained within that environment, with no contagion beyond. All customers have since transitioned to the new CodeRED by Crisis24."The Inc ransomware gang claimed responsibility for the attack earlier this month in a post on its Dark Web leak site. According to the gang, Inc actors first gained access to the CodeRED environment on Nov. 1 and encrypted the platform's files on Nov. 10. Related:Police Disrupt 'Cryptomixer,' Seize Millions in CryptoInc operators also claimed that during ransom negotiations, Crisis24 offered a $100,000 payment, which was rejected. As a result, the group said it was putting the stolen data up for sale and published samples on Nov. 23.GardaWorld's statement acknowledged that a "cybercriminal group" claimed responsibility for the attack and that the company believed that threat actors stole data from the platform and that it "may contain information for OnSolve CodeRED subscribers." The company also said it had not yet confirmed whether the published sample data originated from CodeRED.Dark Reading contacted Crisis24 for comment but the company did not respond at press time.Government Agencies React to CodeRED AttackCrisis24 said it notified informed state, county, and municipal governments "shortly" after it confirmed the CodeRED environment had been compromised, but some customers appear to have been caught off guard and publicly expressed frustration with the company.For example, the Public Safety Communications Department for Weld County, Colo., said on Nov. 14 that it was alerted three days earlier that CodeRED had been taken offline due to concerns from Crisis24's IT department. "There has been no further update from CodeRED, nor has the Weld County representative for CodeRED returned any of the county’s calls/emails," the department's press release stated.Related:Shai-hulud 2.0 Variant Threatens Cloud EcosystemLike other affected customers, Weld County's Public Safety Communications Department informed its constituents that CodeRED's disruption did not impact 911 operations or emergency services.While Crisis24 transitioned customers to the new CodeRED platform — which GardaWorld said "resides in a non-compromised, separate environment that has been subjected to a comprehensive security audit" — some customers weren't buying it. The sheriff's office in Douglas County, Colo., issued a press release on Nov. 24 stating that it had dropped the platform."The Douglas County Sheriff's Office, in collaboration with the Douglas County 911 Board, has taken immediate action to terminate our contract with CodeRED for cause. Our top priority is the privacy and protection of our citizens, which led to the decision to end our agreement with CodeRED," the press release stated.The sheriff's office also included the text of a notification sent by Crisis24 that warned the threat actors "removed" sensitive data from the platform that included subscribers' names, addresses, email addresses, phone numbers, and passwords for their CodeRED accounts.Related:Digital Fraud at Industrial Scale: 2025 Wasn't GreatThe town governments of Chesterfield and Goshen, Mass., said in a public service announcement that state's Commonwealth Fusion Center, a threat intelligence sharing entity, was investigating the CodeRED attack. The PSA also noted that Inc ransomware's leaked sample data appears to show passwords in plaint text, meaning the passwords were not encrypted or hashed by Crisis24. Mitigating Risks to CodeRED SubscribersIf Inc actors obtained clear text passwords to CodeRED subscribers' accounts, then it presents significant risk to those individuals even with the platform being shut down and presumably inaccessible to threat actors wielding those passwords. First, attackers could send fake alerts and notifications to users and use the stolen passwords to convince the targets that the alerts are legitimate, which could allow threat actors to further exploit that trust.Additionally, GardaWorld highlighted the dangers of password reuse. "We have encouraged our customers to inform subscribers who may have reused their OnSolve CodeRED password for any other personal or business accounts to change those passwords immediately," the company said in its disclosure statement. Several CodeRED customers urged their residents to take immediate action. For example, Sioux City's government published an advisory on Nov. 28 urging all CodeRED subscribers that may have used the same password for other accounts for email, banking, shopping, or enterprise services to update those accounts immediately. The advisory also recommended that subscribers enable multifactor authentication (MFA) "wherever possible" and to monitor their accounts for suspicious activity. About the AuthorRob WrightSenior News Director, Dark ReadingRob Wright is a longtime reporter with more than 25 years of experience as a technology journalist. Prior to joining Dark Reading as senior news director, he spent more than a decade at TechTarget's SearchSecurity in various roles, including senior news director, executive editor and editorial director. Before that, he worked for several years at CRN, Tom's Hardware Guide, and VARBusiness Magazine covering a variety of technology beats and trends. Prior to becoming a technology journalist in 2000, he worked as a weekly and daily newspaper reporter in Virginia, where he won three Virginia Press Association awards in 1998 and 1999. He graduated from the University of Richmond in 1997 with a degree in journalism and English. A native of Massachusetts, he lives in the Boston area. See more from Rob WrightMore InsightsIndustry ReportsForrester Wave: for Network Analysis and Visibility Solutions, Q4 2025Gartner Magic Quadrant for Network Detection and Response, 20252025 State of Threat Intelligence: What it means for your cybersecurity strategyGartner Innovation Insight: AI SOC AgentsState of AI and Automation in Threat IntelligenceAccess More ResearchWebinarsIdentity Security in the Agentic AI EraHow AI & Autonomous Patching Eliminate Exposure RisksSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesMore WebinarsYou May Also LikeBlack Hat Middle East & AfricaCybersecurity OperationsAs Gen Z Enters Cybersecurity, Jury Is Out on AI's ImpactAs Gen Z Enters Cybersecurity, Jury Is Out on AI's ImpactbyRobert Lemos, Contributing WriterNov 25, 20254 Min ReadKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeWebinarsIdentity Security in the Agentic AI EraTues, Dec 9, 2025 at 1pm ESTHow AI & Autonomous Patching Eliminate Exposure RisksOn-DemandSecuring the Hybrid Workforce: Challenges and SolutionsTues, Nov 4, 2025 at 1pm ESTCybersecurity Outlook 2026Virtual Event | December 3rd, 2025 | 11:00am - 5:20pm ET | Doors Open at 10:30am ETThreat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesTuesday, Oct 21, 2025 at 1pm ESTMore WebinarsWhite PapersESG Open NDR: A Flexible and Powerful Platform for Detections and Data Across Hybrid EnvironmentsRansomware: The case for Open NDRSecure SAST. Innovate Fast: The future of SaaS and Cloud SecurityWhat Can an AI-Powered AppSec Engineer Do?How Squarespace and Semgrep Scaled Secure Development Across Thousands of ReposExplore More White PapersDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of Use

The OnSolve CodeRED platform, a vital emergency notification system utilized by city, county, and state government agencies, experienced a significant disruption following a cyberattack orchestrated by the Inc ransomware gang. This incident, disclosed Wednesday, November 13, 2025, highlighted vulnerabilities within Crisis24’s infrastructure and raised concerns about data security for CodeRED subscribers. The attack occurred when Inc gained unauthorized access to the CodeRED environment on November 1st and subsequently encrypted the platform’s files on November 10th, leading to the platform’s complete shutdown.

The ransomware group claimed responsibility and, as a tactic to exert pressure, published samples of stolen data on November 23rd, which included subscriber names, addresses, email addresses, phone numbers, and passwords for their CodeRED accounts. The gang also revealed that Crisis24 had offered a $100,000 payment to avoid further ransom demands, which was rejected. This disclosure immediately triggered a wave of reactions from affected government agencies and underscored the potential ramifications of compromised credentials.

The immediate response involved Crisis24 suspending all access to the platform and transitioning customers to a new CodeRED by Crisis24 – a non-compromised environment subjected to a security audit. However, this transition wasn't universally welcomed. Several agencies, including Weld County, Colorado, and Douglas County, Colorado, swiftly terminated their contracts with CodeRED citing concerns over privacy and security. The Douglas County Sheriff's Office, in particular, expressed outrage over the leaked password samples, believing the platform had inadequately protected subscriber data through plain text passwords.

The incident underscored the importance of password management best practices. Crisis24 issued an advisory urging subscribers to immediately update any reused passwords across multiple accounts, alongside reinforcing the use of multi-factor authentication where available. Several affected communities, such as Sioux City, Iowa, emphasized the urgency of this action.

The Commonwealth Fusion Center, Massachusetts’ threat intelligence sharing entity, initiated an investigation into the attack, further highlighting the scale of the potential breach. The leaked data, which included plain text password samples, compounded the concerns, suggesting a possible lapse in Crisis24’s security protocols for storing and handling sensitive user credentials.

The swift condemnation of CodeRED and the immediate steps taken by impacted agencies demonstrate the critical role emergency notification systems play in public safety. The incident serves as a stark reminder of the evolving threat landscape and the need for robust cybersecurity measures within critical infrastructure systems. It’s anticipated that the investigation into the attack will reveal the precise sequence of events, identify the vulnerabilities exploited, and ultimately inform future preventative strategies within the emergency notification sector.