Cloud storage provider Dropbox has confirmed that usernames and passwords stolen from other websites were used to sign in to a small number of Dropbox accounts.
"A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses," wrote Dropbox engineer Aditya Agarwal in a company blog post.
The company believes this is what led to some users receiving spam at email addresses used only for Dropbox.
"We’re sorry about this, and have put additional controls in place to help make sure it doesn’t happen again," Agarwal wrote.
Dropbox is taking steps to improve the safety of accounts even if passwords are stolen, including adding two-factor authentication, implementing automated mechanisms to help identify suspicious activity, and setting a new page that lets users see all active logins to their account.
"In some cases, we may require you to change your password. For example, if it’s commonly used or hasn’t been changed in a long time," Agarwal said.
Dropbox also recommended that users improve their online safety by setting a unique password for each website they use.
"Though it’s easy to reuse the same password on different websites, this means if any one site is compromised, all your accounts are at risk. Tools like 1Password can help you manage strong passwords across multiple sites," Agarwal said.
The Dropbox incident underlines the necessity of having different passwords for every website, said Graham Cluley, senior technology consultant at security firm Sophos.
"As people pile more confidential information onto the web, hackers are being given a greater incentive to penetrate accounts. The frequency and severity of these data breaches is proving time and time again that users must make better efforts to protect themselves," he said.
"If you are going to entrust sensitive data to Dropbox, my advice is that you should automatically encrypt it before sharing it with the service," continued Cluley.
"That way anyone who raids your account won't be able to make sense of what you have stashed in the cloud anyway. Businesses are waking up to the need to use automatic and invisible encryption alongside their cloud storage - protecting users who make use of services such as Dropbox."
The news comes as the European Union cybersecurity agency Enisa called on service providers and end-users to work together to protect online identities.
Passwords protect sensitive information, yet in the first half of 2012 alone, data breaches have exposed millions of citizens’ personal data including password information, said the European Network and Information Security Agency.
The organisation has published guidelines on improving password security for online service providers and users.
GUIDES TO BEST PRACTICE
For more security news,sign-up for our security newsletter.