A security bug in the file-sharing cloud app could have allowed attackers using stolen credentials to skate by one-time SMS code verification requirements.
https://threatpost.com/box-2fa-bypass-accounts-attack/177760/
No security defense is perfect, and shadow IT means no company can inventory every single asset that it has. David “moose” Wolpoff, CTO at Randori, discusses strategies for core asset protection given this reality.
https://threatpost.com/defending-unknown-assets-cyberattacks/175730/