I got 4 emails from Ubisoft earlier. 2 in French, 2 in English. Here is the one that matters:
It looks like you recently made changes to your Uplay account. For your protection, this notification has been sent to the email address associated with your Uplay account.
Our records indicate that you changed the following information:
If this was you, you can ignore the rest of this message.
If you didn’t change these fields, someone may be accessing your account without your permission.
We strongly recommend that you change your account password on ubisoft.com or through any Uplay enabled game.
If you no longer have access to your account, contact Ubisoft customer support to confirm your identity and reset your account.
The Ubisoft team
That message was sent to me and to firstname.lastname@example.org
My Ubisoft password was GE2djRIYRgq. It had been generated using LastPass and is not used on any other account. I’d count that as a lucky guess.
So I go to the UPlay site, login, change the password and log out.
Then I see that it is possible to login with Facebook or Live or Playstation Network. I doubt Ubisoft will ever tell me how this person logged in so I go to each of their sites and change the passsword.
Live won’t let me use more than 16 characters which is just plain stupid. But they do have 2-factor which I have been using.
So I have 4 changed passwords now. But I do wonder how they guessed that password.