Dropbox has pinned a recent spam outbreak on an unnamed, hacked third-party website, from which one of its employees' passwords was stolen.
Customers of the cloud storage service last month complained that they were receiving spam to their dormant Dropbox email accounts.
Dropbox initially stated that there were no "reports of unauthorised activity on Dropbox accounts", but later found that passwords stolen from other websites had been used to access a "small number" of accounts.
According to Dropbox engineer Aditya Agarwal, an unnamed Dropbox employee who was affected by the hack used the same password on an unspecified website as well as on his Dropbox account.
The employee's Dropbox account also contained a "project document with user email addresses", Agarwal wrote on the company's blog.
The unsolicited messages sent to Dropbox users predominantly advertised European gambling websites. Users complained on company forums that they were receiving spam in email accounts that had been specifically created for use with the service.
The company subsequently launched an internal investigation and brought in an outside security team to track down what might have happened.
Dropbox urged users to make sure they were using unique passwords across online services.
"The Dropbox incident underlines the necessity of having different passwords for every website," said Graham Cluley, senior technology consultant at Sophos.
"As people pile more confidential information onto the web, hackers are being given a greater incentive to penetrate accounts.
"The frequency and severity of these data breaches is proving time and time again that users must make better efforts to protect themselves."
According to Jay Heiser, a research vice president at Gartner, the fact that the password was siphoned from a third-party source and used against Dropbox indicated that password complexity requirements or other policies were "useless and impractical".
"The passwords were stolen outside of Dropbox, so no amount of password complexity on the part of Dropbox could have prevented these incidents," Heiser wrote, adding that more secure authentication methods were necessary to protect users.
Dropbox may be coming around to that view, as Agarwal outlined new security features that will be rolled out to users over the next few weeks, including two-factor authentication, a new page that lists logs of recent user activity and "other automated mechanisms to help identify suspicious identity."
Agarwal also noted plans to proactively start prompting users to change ageing or commonly used passwords, but did not disclose when the new features would be rolled out.