Because of the vulnerability – which was addressed in November 2021 – an attacker only needed stolen credentials to access an organization’s Box account and steal sensitive data, provided that the account has SMS-based MFA enabled (which has long been proven insecure).

Box, which claims that close to 100,000 companies use its platform, allows users without Single Sign-On (SSO) to further secure their accounts with an authenticator application or using SMS for second-factor authentication.