So... Got an email from Ubisoft that my account was accessed from India two days ago, I am in the states. The login occured without an email lvl 2FA challenge token being generated... And yes, email lvl 2FA was turned on.


I imediately logged in and was challenged by 2FA (that I had setup). It corectly sent the 2FA to my email. I logged in and changed passwords, and added an aditional 2FA layer via cell phone.

I have checked the email account, it uses a different password and has *NOT* be compromised...


At this point I reached out to Ubisoft technical support, as I wanted to know *how* a sucessfull login attempt had happened despite already having 2FA enabled at email lvl.

First, they ignored the content of my msg, and they *DISABLED* all 2FA on my account, replying with a copy/pasta script.

Eventually they told me,

Originally posted by Ubisoft:

...the original suspicious access you contacted us about happened on one of a few Ubisoft sites that do not leverage 2-step verification and do not allow for changes to the account or provide account information.

So there ya go guys and gals...

Ubisoft still has publicly accesable systems that *lack* 2FA but *will* allow a user to log in with your credentials...

I guess (since we dont know what these sites/areas are) that we all just have to trust Ubi when they say that the areas the hackers can access without 2FA are truely not places where they can see or do anything...

Figured you all should know.