Email to users of Georgetown Box accounts:
This recommendation only applies to users who log in through SSO. If they have used an external password (a separate Box-specific password that can be used to log into apps that don't support SSO like some iOS apps, WebDAV or FTP) with a third-party application.
Subject: Security Info Regarding Your Box Account – Please Update Your Password
You may be aware that a major security flaw was discovered with OpenSSL, a cryptographic library that enables SSL (Secure Sockets Layer) or TLS (Transport Security Layer) encryption for a majority of sites across the web, on Monday, April 7. We are reaching out today to alert you to this issue and encourage you to update your Box password.
While we released an update to protect Box against this vulnerability within hours of the initial notice on April 7, we have been running a version of OpenSSL with the vulnerability for a short period of time and our records show that you logged into your account during that period. It's important to note that Box has not been targeted or attacked in that time and we have not detected any malicious activities, but we take the security of your personal information and data very seriously and want to be extra cautious.
What does this mean for you? As extra precaution, we are advising that you update your account with a new password now that we've patched the vulnerability and released new SSL certificates. To do so, you'll need to choose a new password if you're logged into the website. If you're not logged in already, don't remember your password or are locked out of your account, you can request a password reset.
If you use a single sign-on (SSO) or identity provider such as Okta or Ping Identity to log into Box, we are advising that you reset your external password (a separate Box-specific password that can be used to log into apps that don't support single sign-on like some iOS apps, WebDAV or FTP). You can do so by logging into Box with your SSO credentials, then following the steps here to choose a new external password.
More info and updates on the OpenSSL "Heartbleed" bug are available on this thread from the Box Help site.
The Box Team