Dropbox confirmed Tuesday that a stolen employee password led to the theft last month of a "project document" that contained user e-mail addresses. With addresses in hand, the hacker then with ads for gambling Web sites.

In investigating the theft, the company found that usernames and passwords stolen from other Web sites were used to access "a small number" of Dropbox accounts, an indication that account holders were using their credentials on multiple sites. Experts consider that practice a serious security risk, because hackers often use stolen credentials to enter other services.

Although some spam recipients claimed to use unique email addresses for Dropbox, the company said its investigation showed its internal systems had not been hacked. Nevertheless, the spam attack has not helped the company in its efforts to be seen as more than just a free consumer-oriented service. That effort started last year with the launch of a paid business service called Dropbox for Teams.

"I am doubtful that they are enterprise-ready at this time," said John Kindervag, analyst for Forrester Research. "Their focus and incentives are not yet properly aligned."