MIT

29,000 Cambridge Subscribers Compromised: The INC Ransom Attack That Knocked Out Harvard and MIT's Backup Alert Layer

Wednesday, November 26, 2025MAinfrastructure failureadvisorymedium confidence

Confirmed Threat

On November 26, 2025, Cambridge Public Safety agencies announced that the CodeRED emergency notification platform — used by Cambridge, Harvard, and MIT as the municipal-level alert backup layer — had been hit by a ransomware attack claimed by the INC Ransom group. More than 29,000 Cambridge residents were enrolled in CodeRED, and the breach exposed names, phone numbers, email addresses, and passwords. Cambridge ran its own alerting infrastructure for two weeks while CodeRED was offline; the system was restored on December 11, 2025 on a new platform with all passwords forcibly reset.

Alerts: 3
Response: —
Killed: 0
Injured: 0

Institution

Massachusetts Institute of Technology

Private R1 · MA

~11,934 studentsMIT Alert / Cambridge CodeRED

Confirmed Timeline

Alert Sequence

3 messages in sequence

Some alert texts below are approximate reconstructions from news coverage, not confirmed verbatim transcripts. Reconstructed texts are shown in italic with a dashed border. Verified verbatim texts have a solid border and are marked accordingly.

INITIAL ALERTEmailNov 26, 2025, 7:00 PM EST

Approximate reconstructionReconstructed from the City of Cambridge's November 26, 2025 community notice about the CodeRED cyberattack744 chars

The City of Cambridge, the Cambridge Emergency Communications Department, the Cambridge Police Department, and the Cambridge Fire Department are notifying the community that the CodeRED emergency notification platform has been taken offline following a nationwide cyberattack. A data breach exposed user data including phone numbers, email addresses, and passwords. Residents enrolled in CodeRED with a phone number or email may have been impacted. If you set up your CodeRED account with a password and used the same password for other personal or business accounts, the City strongly recommends changing those passwords immediately. Cambridge will continue to communicate emergency information through alternative channels during this period.

This text has been reconstructed from news coverage and may not reflect the exact original wording.

The Cambridge notice was issued the day before Thanksgiving 2025 — a deliberate choice to reach residents before the four-day weekend

CodeRED's parent company OnSolve served thousands of local government and public-safety agencies; the Cambridge notice was one of dozens issued nationally

The breach was claimed by the INC Ransom group, the same ransomware operation linked to multiple 2025 healthcare and municipal cyberattacks

Although MIT Alert and Harvard MessageMe are independent of CodeRED, the platform served as the municipal-level backup layer that integrates with university emergency notifications during Cambridge-wide events (severe weather, hazmat, mass casualty)

UPDATEEmailDec 2, 2025, 4:00 PM EST+5d

Approximate reconstructionReconstructed from Cambridge Day's December 2, 2025 reporting on Cambridge's interim alerting workflow during the CodeRED outage504 chars

An update on the CodeRED outage: the platform remains offline as OnSolve completes the migration to a new, separate environment. During this period, Cambridge Emergency Communications is using tip411, Cambridge Police social channels, and direct coordination with university alert systems (Harvard MessageMe, MIT Alert) for community notifications. Residents will be required to reset their passwords when CodeRED is restored. We will provide notice when the new platform is available for password reset.

This text has been reconstructed from news coverage and may not reflect the exact original wording.

The interim workflow — tip411 + Cambridge Police social + university alert systems — was the operational fallback during the two-week CodeRED outage

The decision to publicly describe the alternative channels was itself a security trade-off; the operational fallback became part of the public knowledge of Cambridge's alerting infrastructure

The CodeRED outage spanned the highest-traffic November-December emergency period in recent memory, including the Harvard Medical School explosion (November 1, 2025) post-event coverage and the December 13, 2025 Brown University shooting peer-institution response window

ALL CLEAREmailDec 11, 2025, 8:00 PM EST+15d

Approximate reconstructionReconstructed from the City of Cambridge's December 11, 2025 announcement of the CodeRED platform restoration511 chars

Cambridge CodeRED has been restored on a new platform — CodeRED by Crisis24 — on a separate, non-compromised environment. All previous passwords have been removed; subscribers must set new passwords by entering their username at the website and selecting 'Forgot password.' Phone numbers and email subscriptions have been retained; only passwords required reset. Cambridge thanks residents for their patience during the two-week outage and reminds subscribers to use unique passwords across all online accounts.

This text has been reconstructed from news coverage and may not reflect the exact original wording.

Total outage duration: approximately 15 days (November 26 to December 11, 2025)

The transition from CodeRED to CodeRED-by-Crisis24 maintained the consumer-facing branding while changing the underlying platform — a deliberate choice to minimize subscriber re-education

Cambridge thanked subscribers for 'patience during the two-week outage' — a framing that downplays the security severity of the breach but emphasizes operational restoration

Context

Background

The November 26 to December 11, 2025 CodeRED ransomware outage was one of the most consequential cybersecurity incidents affecting US campus emergency alerting in 2025. CodeRED, operated by parent company OnSolve, served thousands of local government and public-safety agencies nationally, including the City of Cambridge — which hosts both Harvard University and MIT. More than 29,000 Cambridge residents were enrolled in CodeRED, and the breach exposed phone numbers, email addresses, and passwords. The ransomware attack was claimed by the INC Ransom group, an operation linked to multiple 2025 healthcare and municipal targets. While MIT Alert and Harvard MessageMe are independent university-operated alert systems, CodeRED served as the municipal-level backup layer that integrates with university notifications during Cambridge-wide events (severe weather, hazmat, mass casualty incidents). The Harvard Crimson's December 12, 2025 advisory became the channel through which Harvard community members were directed to reset CodeRED passwords. Cambridge handled its own alerting via tip411 and Cambridge Police social channels for the two-week outage. The system was restored on December 11, 2025 on a new platform (CodeRED by Crisis24) on a separate, non-compromised environment with all passwords forcibly reset. The case is significant for this archive because it documents (a) the supply-chain vulnerability of campus emergency-alert backup layers, (b) the operational fallback patterns when a third-party alerting platform is unavailable for two weeks, and (c) the particularly poor timing — the CodeRED outage spanned the most operationally intense November-December period in recent Cambridge memory, including the November 1 Harvard Medical School explosion aftermath and the December 13 Brown University shooting peer-institution response window.

Analysis

Key Findings

Approximately 29,000 Cambridge residents had personal data exposed in the INC Ransom group attack on the CodeRED platform — one of the largest single-municipality emergency-alert breaches of 2025

Cambridge handled its own alerting via tip411 and Cambridge Police social channels for the two-week outage (November 26 to December 11, 2025)

MIT Alert and Harvard MessageMe are independent university-operated systems, but CodeRED served as the municipal-level backup layer that integrates with university notifications during Cambridge-wide events

The outage spanned the most operationally intense November-December period in recent memory, including the November 1 Harvard Medical School explosion aftermath and the December 13 Brown University shooting peer-institution response window

OnSolve migrated to a new platform (CodeRED by Crisis24) with comprehensive security audits and forcibly reset all subscriber passwords

The case documents the supply-chain vulnerability of campus emergency-alert backup layers — a vulnerability category previously underdocumented in this archive

Outcome

CodeRED was taken offline by parent company OnSolve following the November 2025 ransomware attack and decommissioned. OnSolve migrated to a new platform (CodeRED by Crisis24) on a separate, non-compromised environment with comprehensive security audits. Cambridge handled its own alerting via tip411 and Cambridge Police social channels from November 26 through December 11, 2025. Approximately 29,000 Cambridge subscribers had personal information exposed; users who reused passwords were urged to change them on all affected accounts. The Harvard Crimson published a December 12, 2025 advisory to the Harvard community on the password-reset requirement.

Provenance

Sources

official press release
Cambridge Public Safety Agencies Issue CodeRed Emergency Notification System Update (City of Cambridge)
cambridgema.gov
official press release
Cambridge Public Safety Agencies Notify Community Of Cyber-Attack Against CodeRed (City of Cambridge)
cambridgema.gov
News
CodeRED emergency system recovers from a cyberattack (Cambridge Day)
cambridgeday.com
News
Emergency alert system restored in Cambridge (Cambridge Day)
cambridgeday.com
Student Paper
Cambridge Asks Residents To Reset Passwords on Emergency Alert Platform After Cyberattack (The Harvard Crimson)
thecrimson.com
blog
Millions at risk after nationwide CodeRED alert system outage and data breach (Malwarebytes Labs)
malwarebytes.com
industry publication
CodeRED Alert Platform Shut Down Following Cyberattack (Dark Reading)
darkreading.com

Alert Sequence

Background

Key Findings

Sources

Related Cases