A music-streaming site is probably one of the last places you’d expect hackers to hit. Sadly, you may have expected wrong. On Thursday, Spotify notified an unspecified amount of users that the company reset their passwords — but didn’t clarify why.

The most detail Spotify gave users were telling them that their passwords were reset “due to detected suspicious activity,” as TechCrunch reported.

Some Spotify users took to Twitter to express their confusion.

“Huh. Unexpected email from Spotify due to some ‘suspicious activity’. My password is randomly generated and long so makes me wonder what happened there,” one user tweeted.

https://twitter.com/x00/status/1131580774770192390

Although Spotify didn’t elaborate on what’s happening, it’s possible that this is an example of a “credential stuffing attack.” That’s where hackers scrape lists of usernames and passwords from hacked sites. Then, they use that information to get into other sites.

“As part of our ongoing maintenance efforts to combat fraudulent activity on our services, we recently shared a communication with select users to reset their passwords as a precaution. As a best practice, we strongly recommend users not to use the same credentials across different services to protect themselves,” a Spotify spokesperson told Billboard.

See other reactions below:

https://twitter.com/Barsbeh/status/1129020401944846336