As most of you have heard by now, a major security flaw was discovered with OpenSSL, a cryptographic library that enables SSL (Secure Sockets Layer) or TLS (Transport Security Layer) encryption for a majority of sites and services across the web, on April 7. We have run a full investigation and have no indication that Box has been targeted or attacked in relation to this bug, but for those of you looking for more information I'd like to share some context and the steps we've taken to protect our users.
"Heartbleed" is one of the worst vulnerabilities I have seen in the past 10 years. Those of you who have been in security for a while know that we can never prevent everything that comes our way, but we can build processes and culture of rapid response. When we found out about the OpenSSL vulnerability this week, our team didn't go home until early hours of the morning the following day - we had to be certain that our users were safe.
What actions have we taken?
Within hours of notification about this vulnerability, we released a patch to OpenSSL to protect all logins and content. In addition, we performed internal and external scanning to confirm that all Internet-facing Box services were not vulnerable to this attack. And we immediately initiated the process of revoking and reissuing our SSL certificates for the product to be extra cautious. We now have all new certificates in place.
To date, we have no indication that Box has been targeted or attacked in relation to this bug and we have not detected any malicious activity. As an additional measure, we are in the process of notifying users that logged into their accounts since we upgraded our servers earlier this year and started running a version of OpenSSL that contained the vulnerability, advising them to reset their Box passwords. Again, this is just an added precautionary measure, but Heartbleed deserves this level of caution.
So, where do we go from here?
If I could ask you to do one thing - turn on two-factor authentication today. Beyond that, make sure that you're using strong password requirements for all your users - internal and external. Also, if you're using one of our SSO partner integrations like Okta, Ping, or OneLogin, we encourage you to turn on the the SSO-required option within Box in combination with two-factor authentication option in the SSO solution. Account protection is a critical element of a security strategy and we've made significant investments so our customers have the controls they need to keep user information safe. My team is committed to keeping your data protected.
Check out our help page for the latest info on our responses to the Heartbleed bug: https://support.box.com/hc/en-us/articles/202356058