"We recently discovered that one of our Web sites was exploited to gain unauthorized access to some of our online systems. We instantly took steps to close this off and to begin a thorough investigation with the relevant authorities, internal and external security experts, and to start restoring the integrity of any systems that may have been compromised," the company shared on its blog and in the email notifications sent to its users.
Apparently no credit/debit card information was compromised as no personal payment information is stored with the company, and the attackers haven't managed to get access to the database containing users' real name, physical address and phone numbers.
The accesses passwords are encrypted, but the company has nevertheless advised users to log into their account and to change their passwords - preferably to a complex and long one. If they have used the same or similar password on a number of online accounts, they are advised to change the password on those, as well.
I would add: beware of phishing attempts masked as emails from Ubisoft, asking for your personal or financial info, and don't click on links offered in these emails. Also, change your password by logging into your account via the official Ubisoft login page.
The company has confirmed that the attack did not originate via any Uplay services, and that the attackers have managed to get into some of their online systems by using stolen credentials.
No additional details about the intrusion were shared, and the investigation continues. The company did create an official forum thread for users to post questions - presumably regarding the changing of passwords, as it's doubtful they will be answering questions about the breach - but it has been used so far mostly by users who are understandably angry at the company for failing to protect their data and were looking to vent.
"Ubisoft’s security teams are exploring all available means to expand and strengthen our security measures in order to better protect our customers. Unfortunately, no company or organization is completely immune to these kinds of criminal attacks," the company openly admitted, and I have to give them props for that - even if they botched the job with a breach notification devoid of any helpful detail.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.