Bulk lists of usernames and passwords on pastebin

Hi,

Sorry if this is the wrong sub.

I recently was a victim of a Spotify username+pw mass list leak on pastebin.

The outcome of the breach has so far been a pain in the ass, but luckily I have not seen any loss of value.

Now I am trying to gather more knowledge of the incident and obviously make sure I can avoid this in the future.

I am usually very cautious regarding account security. I rarely use the same password twice and I use 2-step validation whereever it is applicable.

Here’s where it gets a bit strange; I don’t have Spotify installed on my computer. For the past year or so I have only accessed Spotify through my cellphone, and I always try to have Bluetooth turned off.

I suppose the information could have been gathered a long time ago, but it still seems strange.

My questions are, how are these lists usually generated? What could I do different to avoid this in the future?

Thanks.

Edit: I have an iPhone and have not jailbreaked it.