At least 300,000 Spotify accounts are thought to have been hacked earlier this year, with email addresses, login credentials, and other user data exposed.
California law requires organizations to notify residents whose unencrypted personal information may reasonably have been accessed by unauthorized parties.
The sample notification is dated December 9, 2020, but, in it, Spotify estimates that the security vulnerability dates back to April 9, 2020, and says that it was discovered on November 12, 2020.
It states that registration information of users affected — including their email address, preferred display name, password, gender, and date of birth — may have been exposed to certain business partners.