RSA Security has announced the availability of the NSA-backdoor in their products

Moreover, another 19 September .
But Microsoft, for example, has not stated. But more on that below.

So, in their products RSA Data Protection and RSA Bsafe, NIST certified Dual EC_DRBG (Dual Elliptic Curve Deterministic Random Bit Generation) certified by NIST ( description ) was used throughout. And certified, as it turned out, with a surprise from the US National Security Agency. That is, it is no random, if you know the essence of the bookmark.
Well, the fact that this algorithm may contain a backdoor, the researchers said back in the 2007th year. That did not prevent NIST from certifying it. But the kipish began after the documents published by Snowden, which clearly indicated a certain standard of 2006.

Dual_EC_DRBG, by the way, is a pretty popular gizmo.
Implemented in Windows, starting with Vista SP1, which makes it the most popular in the world. Also, the implementation is in OpenSSL and in general it seems to be lobbied in a heap of products (McAfee, for example, but they used it only for public sector programs). So, it will take a long time to clear the code from it.

UPD
From the comments, the details of the backdoor device are practically on the fingers. ( translation )
')
UPD2
List of certified products that use this algorithm in one way or another.