A report from Motherboard and citing an unnamed source with knowledge of the hack reveals that the attackers could "gain access to any email account as long as it wasn't a corporate level account". Although the source claims this went on for at least six months, Microsoft says the hackers had access from January 1st to March 28th. Microsoft tried to calm users' concerns by saying that only "your e-mail address, folder names, the subject lines of e-mails, and the names of other e-mail addresses you communicate with" had been accessed.
More details, however, are now making the rounds to indicate that the incident was actually worse than explained in the software giant's announcement, as the hackers were even able to read users' emails. Enterprise accounts were not affected, per Motherboard's source.
While the breach is severe, Microsoft claims that the most sensitive of personal data - passwords and the contents of emails, as well as any files attached to said emails - were not accessible using the stolen credentials.
Our notification to the majority of those impacted noted that bad actors would not have had unauthorized access to the content of e-mails or attachments.
Specifically, Microsoft admitted it had sent notifications of a security breach to some users which informed them that their email content had (potentially) been read, but that this only applied to a small amount of the affected users, around 6%.
"Please be assured that Microsoft takes data protection very seriously and has engaged its internal security and privacy teams in the investigation and resolution of the issue, as well as additional hardening of systems and processes to prevent such recurrence", the email adds. In a blog post from April, Microsoft said that it saw an average of 300,000 phishing attempts in February alone.