Nationwide Emergency Alerts Disrupted by OnSolve Cyberattack
▼ Summary
– Crisis24’s OnSolve CodeRED platform suffered a cyberattack, disrupting emergency notification systems used by U.S. government agencies and first responders.
– The attack forced Crisis24 to decommission the legacy system and rebuild the service using a backup from March 31, 2025, which may cause missing accounts.
– Stolen data includes user profile information such as names, addresses, email addresses, phone numbers, and passwords, though there is no evidence it has been published online.
– The INC Ransom gang claimed responsibility for the attack, stating they breached OnSolve on November 1, 2025, and are now selling the stolen data after failing to receive a ransom payment.
– Customers are advised to reset any reused CodeRED passwords, as the ransomware gang published screenshots showing email addresses and associated clear-text passwords.
A significant cybersecurity incident has compromised the OnSolve CodeRED platform, a critical emergency notification system relied upon by numerous state and local governments, police departments, and fire agencies throughout the United States. The platform’s operator, risk management firm Crisis24, confirmed the attack forced it to decommission the legacy environment, leading to widespread disruption in services that deliver urgent weather alerts, public safety warnings, and other emergency communications to residents.
Crisis24 assured customers that its investigation determined the breach was confined to the CodeRED system and did not impact any of its other operational platforms. However, the company acknowledged that sensitive user data was stolen, including names, physical addresses, email addresses, phone numbers, and passwords associated with CodeRED profiles. Despite the theft, Crisis24 stated it has not observed any public release of the compromised information so far. An announcement from the City of University Park, Texas, echoed this, noting CodeRED had informed them that while data was taken, there is currently no evidence it has been posted online.
Due to the damage inflicted by the cyberattack, Crisis24 is undertaking the substantial task of rebuilding the service. The company is migrating to a newly launched system called CodeRED by Crisis24, restoring data from a backup dated March 31, 2025. Because this backup is not current, many user accounts are expected to be missing initially, requiring re-registration. Public safety agencies across the country have publicly addressed the outage, confirming they are actively working to reinstate their emergency alert capabilities for the communities they serve.
Although Crisis24 attributed the breach only to an “organized cybercriminal group,” the INC Ransom gang has publicly claimed responsibility. The group created a dedicated entry for OnSolve on its Tor data leak site, where it published screenshots appearing to show customer information, including email addresses and associated passwords stored in clear text. The ransomware actors allege they initially breached OnSolve’s systems on November 1, 2025, and proceeded to encrypt files on November 10. They claim that after failing to receive a ransom payment, they are now attempting to sell the stolen data.
Given that the published screenshots reveal passwords in an unencrypted format, all CodeRED users are strongly urged to immediately reset their passwords, especially if the same credentials were used for other online accounts. INC Ransom operates as a ransomware-as-a-service (RaaS) and first emerged in July 2023. Its list of victims is extensive and diverse, targeting sectors such as education, healthcare, and government. Notable past targets include Yamaha Motor Philippines, Scotland’s National Health Service (NHS), the international food retail conglomerate Ahold Delhaize, and the U.S. division of Xerox Business Solutions (XBS).
(Source: Bleeping Computer)
