A vulnerability in the implementation of multi-factor authentication (MFA) for Box allowed threat actors to take over accounts.