Cloud-based document storage service Dropbox has confirmed that customer email addresses were stolen from one of its own employee’s Dropbox accounts.
The company was alerted to the breach when users noticed they were receiving spam on email accounts they only used for Dropbox.
"Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts," wrote engineer Aditya Agarwal in a company blog post.
"A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses," he added. "We believe this improper access is what led to the spam.
"We’re sorry about this, and have put additional controls in place to help make sure it doesn’t happen again."
As a result of the breach, Dropbox will introduce optional two-factor authentication, possibly using log-in codes sent to users’ mobile phones, "new automated mechanisms to identify suspicious activity" and a new page that allows users to see logins to their accounts.
It also recommended that customers use different passwords for individual websites or use a password management service such as 1Password.
The incident reveals how password reuse exposes multiple sites and their customers to data breaches in the event of a significant password leak, such as those at LinkedIn and eHarmony.
More embarrassing for Dropbox, though, is that one of its own employees apparently failed to follow password best practice, putting customer data at risk.
This will not be reassuring for businesses wondering whether to allow their employees to use Dropbox for work purposes.