So what's the damage? According to Spotify, "Along with passwords, registration information such as your email address, birth date, gender, postal code and billing receipt details were potentially exposed. Credit card numbers are not stored by us and were not at risk."
As noted below in the comments, it was the password hashes that may have been exposed, not plain text passwords.
The blog post urges members who created accounts on or before December 19th, 2008 — the date a known bug was fixed — to change their password for Spotify and any other sites where they were using the same password.
So what happened? A group of hackers compromised Spotify protocols due to a bug in a system that the company reportedly fixed on December 19th. The post states that, "the information that may have been exposed when our protocols were compromised is the password hashes. As stated, we never store passwords, and they have never been sent over the Internet unencrypted, but the combination of the bug and the group’s reverse-engineering of our encrypted streaming protocol may have given outsiders access to individual hashes."