From 2004 to 2013 the default random number generator in the library was a NIST-approved RNG standard, widely known to be insecure from at least 2006, containing a kleptographic backdoor from the American National Security Agency (NSA), as part of its secret Bullrun program.
[3] In 2013 Reuters revealed that RSA had received a payment of $10 million to set the compromised algorithm as the default option.
The Reuters article which revealed the secret $10 million contract to use Dual_EC_DRBG described the deal as "handled by business leaders rather than pure technologists".
Not only is Dual_EC hilariously slow – which has real performance implications – it was shown to be a just plain bad random number generator all the way back in 2006.
It is also possible to derive the secret key by solving a single instance of the algorithm's elliptic curve problem[5] (breaking an instance of elliptic curve cryptography is considered unlikely with current computers and algorithms, but a breakthrough may occur).
The following month, Reuters published the report based on the Snowden leaks stating that RSA had received a payment of $10 million to set Dual_EC_DRBG as the default.
[19] On December 12, 2020, Dell announced the reversal of RSA's past decision, allowing BSAFE product support beyond January 2022 as well as the possibility to soon acquire new licenses.