RSA, the Security Division of EMC Corp., said Thursday that information related to its SecurID two-factor authentication products was stolen in an "extremely sophisticated cyberattack" against the company.
In an open letter to customers posted on the company's website, Art Coviello, RSA executive chairman, said RSA recently detected the attack.
"Our investigation has led us to believe that the attack is in the category of an Advanced Persistent Threat (APT). Our investigation also revealed that the attack resulted in certain information being extracted from RSA's systems. Some of that information is specifically related to RSA's SecurID two-factor authentication products," he said.
APT is used to describe attacks in which organized intruders gain access to a network and often stay there undetected for a long period of time with the goal of stealing data.
"While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack," Coviello said.
He said the company had no evidence that customer security related to other RSA products was impacted by the attack. RSA is providing customers with information to strengthen their SecurID implementations, he said.
"The exact risk to customers isn't clear, but there does appear to be some risk that the assurance of your two factor authentication is reduced," Rich Mogull, founder of independent information security consulting firm Securosis, said in a blog post.
He advised SecurID customers to contact their RSA representative and find out if they are at risk and steps to mitigate the risk.
"Based on how the letter was worded it might mean that the attackers have a means to generate certain valid token values (probably only in certain cases). They would also need to compromise the password associated with that user," Mogull wrote. "I'm speculating here, which is always risky, but that's what I think we can focus on until we hear otherwise. Thus reviewing the passwords tied to your SecureID users might be reasonable."