Dropbox has become the latest web service to suffer a huge security breach.
Thousands of users had their usernames and passwords stolen after hackers targeted the online hard drive and file sharing site.
The company said that a Dropbox employee was among those affected, and automatically reset affected users' passwords.
It said that earlier reports from its users of spam email being sent to addresses used only for Dropbox was the first sign of a breach.
"Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts," the site said.
"A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses.
"We believe this improper access is what led to the spam. We're sorry about this, and have put additional controls in place to help make sure it doesn't happen again."
Dropbox recommended users use a service like 1Password, so that they don't have to use the same password for every service online.