{
	"id": "d97a5f16-577f-424b-a829-87d9ceed9190",
	"created_at": "2026-05-01T03:10:18.092272Z",
	"updated_at": "2026-05-01T03:10:50.651827Z",
	"deleted_at": null,
	"sha1_hash": "3cb6b764bd5cfa2b0c4abb81564fad548664ce07",
	"title": "The Full Story of the Stunning RSA Hack Can Finally Be Told",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3918843,
	"plain_text": "The Full Story of the Stunning RSA Hack Can Finally Be Told\r\nBy Andy Greenberg\r\nPublished: 2021-05-20 · Archived: 2026-05-01 02:45:36 UTC\r\nAmid all the sleepless hours that Todd Leetham spent hunting ghosts inside his company’s network in early 2011,\r\nthe experience that sticks with him most vividly all these years later is the moment he caught up with them. Or\r\nalmost did.\r\nIt was a spring evening, he says, three days—maybe four, time had become a blur—after he had first begun\r\ntracking the hackers who were rummaging through the computer systems of RSA, the corporate security giant\r\nwhere he worked. Leetham—a bald, bearded, and curmudgeonly analyst one coworker described to me as a\r\n“carbon-based hacker-finding machine”—had been glued to his laptop along with the rest of the company’s\r\nincident response team, assembled around the company’s glass-encased operations center in a nonstop, 24-hours-a-day hunt. And with a growing sense of dread, Leetham had finally traced the intruders’ footprints to their final\r\ntargets: the secret keys known as “seeds,” a collection of numbers that represented a foundational layer of the\r\nsecurity promises RSA made to its customers, including tens of millions of users in government and military\r\nagencies, defense contractors, banks, and countless corporations around the world.\r\nhttps://www.wired.com/story/the-full-story-of-the-stunning-rsa-hack-can-finally-be-told/\r\nPage 1 of 4\n\nThis article appears in the July/August 2021 issue. Subscribe to WIRED.\r\nPhotograph: Djeneba Aduayom\r\nRSA kept those seeds on a single, well-protected server, which the company called the “seed warehouse.” They\r\nserved as a crucial ingredient in one of RSA's core products: SecurID tokens—little fobs you carried in a pocket\r\nand pulled out to prove your identity by entering the six-digit codes that were constantly updated on the fob's\r\nscreen. If someone could steal the seed values stored in that warehouse, they could potentially clone those\r\nhttps://www.wired.com/story/the-full-story-of-the-stunning-rsa-hack-can-finally-be-told/\r\nPage 2 of 4\n\nSecurID tokens and silently break the two-factor authentication they offered, allowing hackers to instantly bypass\r\nthat security system anywhere in the world, accessing anything from bank accounts to national security secrets.\r\nNow, staring at the network logs on his screen, it looked to Leetham like these keys to RSA’s global kingdom had\r\nalready been stolen.\r\nLeetham saw with dismay that the hackers had spent nine hours methodically siphoning the seeds out of the\r\nwarehouse server and sending them via file-transfer protocol to a hacked server hosted by Rackspace, a cloud-hosting provider. But then he spotted something that gave him a flash of hope: The logs included the stolen\r\nusername and password for that hacked server. The thieves had left their hiding place wide open, in plain sight.\r\nLeetham connected to the faraway Rackspace machine and typed in the stolen credentials. And there it was: The\r\nserver’s directory still contained the entire pilfered seed collection as a compressed .rar file.\r\nUsing hacked credentials to log into a server that belongs to another company and mess with the data stored there\r\nis, Leetham admits, an unorthodox move at best—and a violation of US hacking laws at worst. But looking at\r\nRSA’s stolen holiest of holies on that Rackspace server, he didn’t hesitate. “I was going to take the heat,” he says.\r\n“Either way, I'm saving our shit.” He typed in the command to delete the file and hit enter.\r\nMoments later, his computer’s command line came back with a response: “File not found.” He examined the\r\nRackspace server’s contents again. It was empty. Leetham’s heart fell through the floor: The hackers had pulled\r\nthe seed database off the server seconds before he was able to delete it.\r\nAfter hunting these data thieves day and night, he had “taken a swipe at their jacket as they were running out the\r\ndoor,” as he says today. They had slipped through his fingers, escaping into the ether with his company’s most\r\nprecious information. And though Leetham didn’t yet know it, those secrets were now in the hands of the Chinese\r\nmilitary.\r\nThe RSA breach, when it became public days later, would redefine the cybersecurity landscape. The company’s\r\nnightmare was a wake-up call not only for the information security industry—the worst-ever hack of a\r\ncybersecurity firm to date—but also a warning to the rest of the world. Timo Hirvonen, a researcher at security\r\nfirm F-Secure, which published an outside analysis of the breach, saw it as a disturbing demonstration of the\r\ngrowing threat posed by a new class of state-sponsored hackers. “If a security company like RSA cannot protect\r\nitself,” Hirvonen remembers thinking at the time, “how can the rest of the world?”\r\nThe question was quite literal. The theft of the company's seed values meant that a critical safeguard had been\r\nremoved from thousands of its customers’ networks. RSA's SecurID tokens were designed so that institutions\r\nfrom banks to the Pentagon could demand a second form of authentication from their employees and customers\r\nbeyond a username and password—something physical in their pocket that they could prove they possessed, thus\r\nproving their identity. Only after typing in the code that appeared on their SecurID token (a code that typically\r\nchanged every 60 seconds) could they gain access to their account.\r\nThe SecurID seeds that RSA generated and carefully distributed to its customers allowed those customers’\r\nnetwork administrators to set up servers that could generate the same codes, then check the ones users entered into\r\nlogin prompts to see if they were correct. Now, after stealing those seeds, sophisticated cyberspies had the keys to\r\ngenerate those codes without the physical tokens, opening an avenue into any account for which someone’s\r\nhttps://www.wired.com/story/the-full-story-of-the-stunning-rsa-hack-can-finally-be-told/\r\nPage 3 of 4\n\nusername or password was guessable, had already been stolen, or had been reused from another compromised\r\naccount. RSA had added an extra, unique padlock to millions of doors around the internet, and these hackers now\r\npotentially knew the combination to every one.\r\nThis past December, when it became public that the company SolarWinds was hacked by Russian spies, the world\r\nwoke up to the notion of a “supply chain attack”: a technique in which an adversary compromises a point of\r\nvulnerability in a software or hardware supplier positioned upstream from—and out of sight of—its target, a blind\r\nspot in the victim's view of their cybersecurity risks. The Kremlin operatives who hacked SolarWinds hid\r\nespionage code in an IT management tool called Orion, used by as many as 18,000 companies and institutions\r\nglobally.\r\nSource: https://www.wired.com/story/the-full-story-of-the-stunning-rsa-hack-can-finally-be-told/\r\nhttps://www.wired.com/story/the-full-story-of-the-stunning-rsa-hack-can-finally-be-told/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.wired.com/story/the-full-story-of-the-stunning-rsa-hack-can-finally-be-told/"
	],
	"report_names": [
		"the-full-story-of-the-stunning-rsa-hack-can-finally-be-told"
	],
	"threat_actors": [],
	"ts_created_at": 1777605018,
	"ts_updated_at": 1777605050,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3cb6b764bd5cfa2b0c4abb81564fad548664ce07.pdf",
		"text": "https://archive.orkl.eu/3cb6b764bd5cfa2b0c4abb81564fad548664ce07.txt",
		"img": "https://archive.orkl.eu/3cb6b764bd5cfa2b0c4abb81564fad548664ce07.jpg"
	}
}