Sophisticated hackers broke into security company RSA's servers and stole data related to SecurID authentication tokens, the firm's head announced late Thursday.
The tokens are used by an estimated 40 million employees of large corporations and organizations. They generate a seemingly random six-digit number every 30 or 60 seconds, which the employees type in to log into virtual private networks or other sensitive systems.
The RSA cryptography algorithm, which uses a 128-bit "seed" unique to each token to generate the numbers, is virtually impossible to crack. An estimated 250 million smartphones use similar RSA software to verify identity.
"Recently, our security systems identified an extremely sophisticated cyber attack in progress being mounted against RSA," RSA executive chairman Art Coviello, Jr. wrote in an "Open Letter to RSA Customers" that was posted on his company's site Thursday evening.
"Our investigation has led us to believe that the attack is in the category of an Advanced Persistent Threat (APT)," the letter continues. "Our investigation also revealed that the attack resulted in certain information being extracted from RSA's systems. Some of that information is specifically related to RSA's SecurID two-factor authentication products."
An "online note" filed with the Securities and Exchange Commission stated that the stolen data "could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack."
"RSA urges immediate action," the note added, suggesting mostly common-sense steps that essentially mean, "Be wary."
Both public statements were vague about what kind of data was stolen. But if the intruders got a list of the "seeds" used in the algorithm, it could compromise the security of millions of tokens and smartphones.
Coviello's reference to an "advanced persistent threat" is telling. The term is often a euphemism for "extremely skilled hackers supported by the Chinese government" who in the past few years have penetrated the networks of hundreds of U.S. corporations and governmental organizations.
Similar intrusions were part of "Operation Aurora," which hit Google, Yahoo, Morgan Stanley, Disney, General Electric and about 200 still-unnamed firms, and of "Night Dragon," which affected the Western energy giants ExxonMobil, Royal Dutch Shell, BP, Marathon Oil and ConocoPhillips.
The Chinese government has denied any connection to the incidents.
RSA, based in Bedford, Mass., was founded in 1982 by Ron Rivest, Adi Shamir, and Len Adleman, the three MIT-affiliated computer scientists who developed the algorithm. After a series of mergers and acquisitions, it was bought by EMC, another Boston-area computing firm, in 2006.