At this point, SecurID tokens' security is reduced to a single factor -- the pass code that users know. That makes them only as effective as regular passwords, he said.

Based on the reports suggesting that the RSA token was successfully emulated, "one can only assume that the breach of RSA leaked sufficient data to predict the number displayed by a particular token," Johannes Ullrich, CTO at SANS Institute, said in a . "It may also have leaked which token was handed to what company (or user)," Ullrich said.

RSA's silence probably makes the situation appear worse than it is, said Jeremy Allen, principal consultant with Intrepidus.

Even if the RSA attackers managed to steal more information on SecurID than might have earlier been thought, they would still need to have crucial information to exploit it, Allen said. For an attacker to successfully use a cloned SecurID token, he or she would still need to know the token user's username and pass code to access a particular network service, he said.

For someone to break into Lockheed using the RSA token, the attacker would need at least one Lockheed employee's username and pass code and would have to know which services that person could access.