In brief: Spotify is easily one of the most popular music streaming services in the world, and for good reason: it's convenient and its music library is massive (and growing constantly). However, the bigger the service's userbase becomes, the greater the risk of a security breach becomes, as Spotify's fans learned the hard way recently. Hundreds of thousands of users were impacted by a third-party database leak, which exposed login credentials and led the company to reset up to 350,000 passwords.
To be perfectly clear, Spotify itself has not been attacked or breached in any way (as far as we know). Credential stuffing attacks occur when large password databases leak onto the web and hackers attempt to use the exposed credentials across as many sites as possible. Inevitably, they'll be able to gain access to at least a few sites and services.
If you practice proper password hygiene and ensure you aren't reusing the same login credentials across multiple websites or services, your chances of being caught in one of these breaches drop to nearly zero. However, as many of us with less than tech savvy relatives know, not everyone does this.
Unfortunately for Spotify, it seems well over 300,000 of its users have fallen into that camp. If you're one of them, and have received a password reset notification from Spotify recently, we highly recommend that you reset your password across any other websites that you've used the same credentials for.
All of this data was exposed in a "72GB database," which contained over "380 million records." The database was found and its existence was publicly disclosed by researchers from vpnMentor, a cybersecurity and internet privacy-focused blog. Other data vpnMentor found in the database includes email addresses and countries of residence.
Again, none of this is Spotify's fault. As vpnMentor points out, companies can't stop consumers from using and re-using weak passwords – they can only help users regain their accounts, which is precisely why Spotify performed this mass password reset.