Our new SSL certificates are now live. At this time, we recommend that users reset their passwords using a new, unique passcode. This is a preventative measure for added protection - we've performed very in-depth analysis and have found no evidence of breaches or attacks during the time the vulnerability was live for Box users.
We've also added additional details below to answer some of the common questions we've been hearing.
On April 7, 2014, a major security flaw was discovered with OpenSSL, a cryptographic library that enables SSL (Secure Sockets Layer) or TLS (Transport Security Layer) encryption for a majority of sites and services across the web.
Earlier this year, Box updated its servers and upgraded to a version of OpenSSL that contained the vulnerability.
Within hours of notification about this vulnerability on April 7, Box released a patch to protect all logins and content . We also took the extra step to revoke and reissue our SSL certificates for the product for added precaution. These new certificates were live as of April 11, 2014. To date, we have no indication that Box has been targeted or attacked in relation to this bug.
Now that the new SSL certificates are live, we recommend that users reset their Box passwords as an additional security measure. Again, this is just an added precautionary measure as we have not found any indications of malicious activity.
Frequently asked questions
Is it safe to use Box?
Yes. We've performed a thorough investigation and have found no breaches, attacks, or malicious activity during the time we were using the version of OpenSSL that contained the Heartbleed vulnerability. Box takes the security of your personal information and data very seriously, which is why we immediately patched the bug within hours of the initial notification and have take the extra step of reissuing our SSL certificates. Though we haven't seen any evidence of malicious activity around this vulnerability, we do recommend users reset their passwords just as an added precaution.
Do I really need to reset my password?
It's optional, but if you have any concerns or have logged into your account recently we do advise you to proactively update your password.
How do I change or reset my password?
Detailed instructions for how to change your password if you're already signed into your account are available here. If you're not logged in or don't remember your password, here are instructions for how to reset your password.
What if I use SSO (Single Sign-On) to log in to Box? Should I also reset my password?
Because SSO users do not enter a Box password when they log in (this is done through the organization's identify provider such as Okta or Ping Identity), you do not need to reset a password. The exceptions are if you're a user at a company where SSO login is optional or you use an external password (a separate Box-specific password that can be used to log into apps that don't support single sign-on like some iOS apps, WebDAV or FTP) to access Box and have used those since the beginning of 2014. In that case, we recommend you reset that external password now for added protection.
I'm an admin of a Box account. How do I know if my users need to reset their passwords?
The short answer is that if you have any concerns, you should err on the side of caution and initiate a password reset for your users just in case (instructions for how to do that are here). We will be sending an email to the subset of users on paid accounts that logged in during the time the vulnerability was live that specifically should reset their passwords, but it's always a good idea to regularly update passwords and this could be a good time for all of your users to update as well.
What else can I do to make sure my personal info and content on Box stays secure?
We highly recommend that users enable our two-step login verification feature for added security and protection of your login credentials.
I'm an admin of a Box account. What else can I do to keep my users protected?
Box offers a variety of security features you may want to leverage for added protection (especially around users' login credentials), including:
- Require password resets on a regular basis or perform a global password reset for all your users (documentation: What security settings can I enforce for my users?)
- Enforce strong password requirements for your users and external collaborators (documentation: What security settings can I enforce for my users? and Strong Password for External Collaborators Overview and FAQs)
- Require two-step login verification for your users (admin documentation: Admin Console 2 Step Login Verification; user documentation: Can I enable 2 step verification for my account?)
- Consider setting device pinning limitations for your users (documentation: Device Pinning Overview and FAQs)
- Create centralized content policies for your account (documentation: How do I create a security policy? )