If I am having an RSA SecureID hardware key, I can see serials/numbers at the back of the SecureID (so not the every-minute changing token)?
Is that public information? Or should the serials on the back of an RSA SecureID be held private/confidental?
Serials on SecurID tokens are not secret information. The seed that is used to calculated the keys is not related to the serial, and keeping it secret will not enable anyone to crack the authentication codes more easily.
There is one exception: RSA itself keeps a record of all the seeds and which serials use them, and if that record is breached all bets are off. This has happened once before. In this case, you're screwed, and you have to replace all your tokens with ones whose seeds are still secret. Hiding the serial might protect you for a few hours longer than the next guy, but the token codes themselves can also be used to find which seed from a list matches your token.
At the end of the day, SecurID isn't any more or less secure than the common TOTP codes generated by things like Google Authenticator. It's the same principle, and if Google loses those seeds, the same thing happens.
Hard to know, but it is probably only product references. One way to check would be a pattern, like the same first numbers for two devices. If it is indeed serials, the only way that could impact you is if someone could somehow go to RSA and check if they have records of matching ids and private seeds. So, unlikely to happen.
You could also think that the private seed in the SecureID was used to produce the serials: how much of the seed would it reveal? According to this (might be a different device, same company), the seed is 64bits long. How many bits could be encoded in you serial, and how much would that reduce the security of the algorithm? (e.g. it needs 20 base-10 characters to encode any 64bits seed).
