"Over the last 24 hours we have identified that unauthorised entry was gained to our SEGA Pass database," it said in the e-mail that the company sent its Sega Pass users on Friday.
"We immediately took the appropriate action to protect our consumers’ data and isolate the location of the breach. We have launched an investigation into the extent of the breach of our public systems."
The breach resulted in the compromise of email addresses, dates of birth and encrypted passwords of 1.3 million users, but luckily no personal payment information was acquired by the attackers since SEGA doesn't store it and uses external payment providers.
The SEGA Pass system is still offline, but the passwords to the compromised accounts have already been reset.
The company is warning its users to be careful of potential phishing attacks mounted by using the stolen information and to change the passwords on other online services if they used the same as the one that got compromised.
LulzSec - the usual suspects when it comes to this kind of breach - have apparently denied their involvement and tweeted an offer to help Sega in "destroying" the hackers that attacked it.