Security firm falls prey to breach

The attack, revealed on Thursday, compromised products RSA sells under the SecurID brand name. RSA, a division of data storage giant EMC Corp. of Hopkinton, called the attack an ‘‘advanced persistent threat,’’ industry jargon for a relentless campaign by criminals or foreign governments to break into a high-value computer system.

SecurID uses a technique called ‘‘two-factor authentication,’’ requiring users to enter two different passwords to gain access to a network. The first password is memorized by the user. The second is a set of random numbers that appear on a SecurID ‘‘token,’’ a small electronic device carried by the user.

The token’s random numbers change roughly once a minute based on a unique digital ‘‘seed’’ assigned to each token. A SecurID computer with a copy of each token’s seed generates the same random number as the token. A user gets into the network by typing this number.

SecurID is used by an estimated 40 million people at 30,000 organizations worldwide, including banking firm Wells Fargo & Co., Rolls Royce Motor Cars Ltd., the French Ministry of Education, Lockheed Martin Corp., and The New York Times Co., including The Boston Globe.

A successful breach of RSA’s own network could allow a criminal to compromise customer networks. Gunter Ollmann, vice president of research at Atlanta network security firm Damballa Inc., said that RSA analysts were probably scouring their computers yesterday to make sure the intruders didn’t tamper with the SecurID software. One threat: Hackers could have introduced ‘‘back doors’’ to the system that could grant them easy access to the token numbers, and then to customer networks. They might also have tried to steal the seeds for the SecurID tokens, which would let them generate their own passwords and break into networks.

SecurID can still be trusted, according to RSA. ‘‘We do not believe that either customer or employee personally identifiable information was compromised as a result of this incident,’’ executive chairman Art Coviello said in a letter posted online and included in a filing made to the Securities and Exchange Commission.

RSA has not filed a report under Massachusetts’ data breach law, which requires companies who lose control of customer data to notify the attorney general’s office. However, Coviello wrote that ‘‘the attack resulted in certain information being extracted from RSA’s systems,’’ including information related to SecurID products.

Company officials declined yesterday to provide further details about the breach. Even if the damage is limited, the attack raised doubts about SecurID’s reliability, and demonstrated that criminals can find vulnerabilities even in the computer network of a major data security company. ‘‘It doesn’t matter how big you are, you will fall prey,’’ said Ollmann.

In an advanced persistent threat attack, invaders use every possible means to gain access to a network. The nature of the attack on RSA was not revealed, but Frank Andrus, chief technology officer of Bradford Networks Inc., a network security firm in Concord, N.H., said that attackers use sophisticated hacking tools along with simpler methods, like tricking company’s employees into revealing their passwords or rooting through trash bins for sensitive data.

RSA on Thursday asked its customers to employ low-tech means to reduce their vulnerability to attack. For instance, the company warned against giving sensitive information to strangers and urged SecurID users to keep their vital server computers under lock and key. Andrus said that these suggestions may indicate that the attackers used such methods to compromise RSA, and might use similar tricks to exploit whatever information they managed to steal.

Still, Andrus doubted that the RSA breach poses any immediate security threat to SecurID users. ‘‘As long as they use the recommendations RSA has given out,’’ he said, ‘‘they should be OK.’’

Hiawatha Bray can be reached at bray@globe.com