The Dropbox file-sharing service suffered a setback in its efforts to move into the enterprise more forcefully after being hit by a spam attackthat stemmed from the breach of an employee's account.
Dropbox confirmed Tuesday that a stolen employee password led to the theft last month of a "project document" that contained user e-mail addresses. With addresses in hand, the hacker then proceeded to spam European users of the cloud-storage service with ads for gambling Web sites.
In investigating the theft, the company found that usernames and passwords stolen from other Web sites were used to access "a small number" of Dropbox accounts, an indication that account holders were using their credentials on multiple sites. Experts consider that practice a serious security risk, because hackers often use stolen credentials to enter other services.
Although some spam recipients claimed to use unique email addresses for Dropbox, the company said its investigation showed its internal systems had not been hacked. Nevertheless, the spam attack has not helped the company in its efforts to be seen as more than just a free consumer-oriented service. That effort started last year with the launch of a paid business service called Dropbox for Teams.
"I am doubtful that they are enterprise-ready at this time," said John Kindervag, analyst for Forrester Research. "Their focus and incentives are not yet properly aligned."
Others agreed that Dropbox still has a ways to go. "Dropbox has had a checkered history with security, but perhaps this was the wakeup call they needed," Chester Wisniewski, senior security adviser for Sophos, said in an interview via email.
Dropbox has said it will beef up security in light of the breach. The company soon plans to introduce a number of new controls, including two-factor authentication in which a temporary code would be sent to a user's mobile phone.
Other security upgrades include a new page that shows logs of user activity and other automated mechanisms for identifying suspicious activity. Dropbox may also start prompting users to change passwords that have been in use for a long time.
While Dropbox's security plans are likely to be welcomed, the bigger problem for businesses is that workers use such cloud-based services -- without a corporate okay -- to store sensitive documents that could violate compliance laws or internal data privacy rules, Kindervag said. Dropbox would not be the place to store such information, because the site doesn't provide businesses with adequate levels of control, such as auditing of data and tracking who got the information and what was done with it.
"While I certainly understand that users often feel like they need to do things to get their job done, they need to think about the security implications," Kindervag said. "Dropbox, from my perspective, is a very consumer kind of solution."
Despite the security risks, more employees in the future are expected to use services, mobile devices and other new technologies outside the control of IT departments. Gartner predicts that in less than three years, 35% of enterprise IT expenditures will occur outside of the corporate budget. As a result, many experts advise companies to abandon their command-and-control strategy and adopt a more cooperative tactic to deal with workers looking for the easiest way to get their jobs done.
Dropbox's changes should improve security to users' accounts, and other companies such as Google, Facebook and Microsoft, have already implemented many of the same features, Wisniewski said. As an added precaution, users of cloud-based storage should rely on tools, available from security vendors, for encrypting data before it is stored in the cloud.
"Personally, I don't store anything in the cloud that I wouldn't want publicly accessible unless it is encrypted," Wisniewski said.
Dropbox is one of many free or low-cost file-sharing services available to consumers and businesses. Competitors include ADrive, Box.net, Flickr, Carbonite, Google Gmail, Mozy, SugarSync and YouSendIt.
Read more about cloud security in CSOonline's Cloud Security section.