Security giant RSA said a sophisticated attack has possibly compromised the two-factor authentication system used by tens of millions of end users of the company’s clients, which includes large banks and other corporations and credit unions.
RSA, a division of EMC, placed the attack in the Advanced Persistent Threat category, which typically means the attackers had undetected access to sensitive data for some period of time.
RSA’s executive chairman, Art Coviello, said the company has found that information "specifically related" to its widely used SecurID two-factor authentication products was involved.
"While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack," Coviello said in an open letter posted on the company’s website at www.rsa.com.
He called the attack extremely sophisticated and said the company is working with authorities and contacting clients.
"We are committed to applying all necessary resources to give our SecurID customers the tools, processes and support they require to strengthen the security of their IT systems in the face of this incident. Our full support will include a range of RSA and EMC internal resources as well as close engagement with our partner ecosystems and our customers' relevant partners," Coviello said.