"We have identified that a subset of SEGA Pass members emails addresses, dates of birth and encrypted passwords were obtained," the email warns. "To stress, none of the passwords obtained were stored in plain text," though it took the precaution of resetting all passwords anyway. In addition, Sega says that since payment information related to Sega Pass was stored through external providers, it wasn't at risk.
Sega asked users to refrain from trying to log into Sega Pass -- there's nothing there at the moment anyway. And "if you use the same login information for other websites and/or services as you do for SEGA Pass, you should change that information immediately."
[Thanks to everyone who sent this in!]