The Full Story of the Stunning RSA Hack Can Finally Be Told

Amid all the sleepless hours that Todd Leetham spent hunting ghosts inside his company’s network in early 2011, the experience that sticks with him most vividly all these years later is the moment he caught up with them. Or almost did.

It was a spring evening, he says, three days—maybe four, time had become a blur—after he had first begun tracking the hackers who were rummaging through the computer systems of RSA, the corporate security giant where he worked. Leetham—a bald, bearded, and curmudgeonly analyst one coworker described to me as a “carbon-based hacker-finding machine”—had been glued to his laptop along with the rest of the company’s incident response team, assembled around the company’s glass-encased operations center in a nonstop, 24-hours-a-day hunt. And with a growing sense of dread, Leetham had finally traced the intruders’ footprints to their final targets: the secret keys known as “seeds,” a collection of numbers that represented a foundational layer of the security promises RSA made to its customers, including tens of millions of users in government and military agencies, defense contractors, banks, and countless corporations around the world.

RSA kept those seeds on a single, well-protected server, which the company called the “seed warehouse.” They served as a crucial ingredient in one of RSA's core products: SecurID tokens—little fobs you carried in a pocket and pulled out to prove your identity by entering the six-digit codes that were constantly updated on the fob's screen. If someone could steal the seed values stored in that warehouse, they could potentially clone those SecurID tokens and silently break the two-factor authentication they offered, allowing hackers to instantly bypass that security system anywhere in the world, accessing anything from bank accounts to national security secrets.