So I received an email from Spotify telling me they had changed my password due to suspicious activity. I didn't click any link to avoid phishing, I just opened the app and it asked me to login, and my password didn't work anymore, so I assumed the email was legit. 

The main problem here is: Spotify won't tell me which activity was suspicious. They simply won't. There's no obvious way to get this information, which is ridiculous. They make us come to the community to get some help for things they won't help and the community has no way to help.

Why is it so hard to say which activity was suspicious? Or asking me before changing my password if I am responsible for this activity they consider suspicious? Or, maybe, why is it so hard to block a suspicious login try and confirm on my email if it is me? They do have an email confirmation to verify if it is me when I try to login, but I actually have to click it to send me an email confirmation. If they'll force a password change, why not force email confirmation instead?

It's really annoying that they force a password reset. And it's really annoying that they don't bother to tell me what was the suspicious activity. They don't clarify anything. They don't help. I did change my OS on my computer, so maybe this one was the suspicious activity. 

I did use some VPN, as my job recently needed it, so maybe that one was some suspicious activity. I did need to install over and over again my OS, as my PC had some problems, and I did use web player Spotify, maybe that was some suspicious activity. Later, I did use a virtual machine with a VPN, how nice they may think of it. And I did travel, maybe? And maybe someone on the other side of the world tried to use my account, who knows. But yet I don't know what did make Spotify send me that email and they don't care about information. Maybe they have a security breach and don't want us to know? It would be even cooler.