Credential stuffing takes advantage of people who reuse the same passwords across multiple online accounts. Attackers will use IDs and passwords stolen from another source, such as a breach of another company or website, that they then try to use to gain unauthorized access to other accounts. The attacks ultimately affected between 300,000 and 350,000 music-streamers, vpnMentor said a small fraction of the company s user base of 299 million active monthly users. Spotify initiated a rolling reset of passwords, making the information in the database relatively useless.
Source: https://threatpost.com/spotify-account-takeovers/161495/