Earlier this month, some Dropbox users began complaining about spam coming to addresses that they only used for the online storage and syncing service, leading the company to open an investigation into the issue. Dropbox concluded that it hadn’t been hacked, but up until now hasn’t been able to offer an explanation for the spam. So what exactly happened? In a Wednesday blog post, the company concludes that access to "a small number" of Dropbox accounts was achieved with user passwords stolen from other websites. As for the spam, the company says that one of these stolen passwords allowed someone to access a project document in a Dropbox employee’s folder; one that contained multiple user email addresses.

The notion that the company is keeping unencrypted lists of user emails lying around may not inspire a lot of confidence, but Dropbox says it's ratcheting up security across the board. The biggest change is the addition of optional two-factor authentication in the next few weeks. Users that opt in will require a second piece of information in addition to their passwords to log in, like temporary codes sent to their phones. The situation goes to show how important it is to have unique passwords for the different services you use online.