The Dropbox file-sharing service suffered a setback in its efforts to move into the enterprise more forcefully after being hit by a spam attackthat stemmed from the breach of an employee's account.
Dropbox confirmed Tuesday that a stolen employee password led to the theft last month of a "project document" that contained user e-mail addresses. With addresses in hand, the hacker then proceeded to spam European users of the cloud-storage service with ads for gambling Web sites.
In investigating the theft, the company found that usernames and passwords stolen from other Web sites were used to access "a small number" of Dropbox accounts, an indication that account holders were using their credentials on multiple sites. Experts consider that practice a serious security risk, because hackers often use stolen credentials to enter other services.
Although some spam recipients claimed to use unique email addresses for Dropbox, the company said its investigation showed its internal systems had not been hacked. Nevertheless, the spam attack has not helped the company in its efforts to be seen as more than just a free consumer-oriented service. That effort started last year with the launch of a paid business service called Dropbox for Teams.
"I am doubtful that they are enterprise-ready at this time," said John Kindervag, analyst for Forrester Research. "Their focus and incentives are not yet properly aligned."
Others agreed that Dropbox still has a ways to go. "Dropbox has had a checkered history with security, but perhaps this was the wakeup call they needed," Chester Wisniewski, senior security adviser for Sophos, said in an interview via email.
Dropbox has said it will beef up security in light of the breach. The company soon plans to introduce a number of new controls, including two-factor authentication in which a temporary code would be sent to a user's mobile phone.
Other security upgrades include a new page that shows logs of user activity and other automated mechanisms for identifying suspicious activity. Dropbox may also start prompting users to change passwords that have been in use for a long time.
While Dropbox's security plans are likely to be welcomed, the bigger problem for businesses is that workers use such cloud-based services -- without a corporate okay -- to store sensitive documents that could violate compliance laws or internal data privacy rules, Kindervag said. Dropbox would not be the place to store such information, because the site doesn't provide businesses with adequate levels of control, such as auditing of data and tracking who got the information and what was done with it.
"While I certainly understand that users often feel like they need to do things to get their job done, they need to think about the security implications," Kindervag said. "Dropbox, from my perspective, is a very consumer kind of solution."
Sign up for CIO Asia eNewsletters.