Bottom Line Up Front: Using an attack method called “Credential Stuffing” (just in time for Thanksgiving in the US), attackers were able to breach between 300,000 and 350,000 Spotify accounts. Usernames, passwords, email addresses and countries of residence were exposed.
Details: Credential stuffing is method of attack whereby attackers use passwords that have been exposed in past data breaches in conjunction with their associated email addresses/passwords to gain access to an account. If you use the same password across multiple accounts, the you are vulnerable to credential stuffing attacks. The attackers now have access to over 300,000 Spotify accounts and may be able to gather payment information and other kinds of data from this access.