A hacker or group of hackers gained access to a customer support account for Microsoft, from which they then got access to information on customer accounts, including whom they communicated with. The company says that hackers had access to the information between January 1 and March 28, but an anonymous source speaking with Motherboard offered a conflicting timeframe, saying that "hackers had access for at least six months".
In an email to affected users, Microsoft noted that it "regrets any inconvenience caused by this issue", and that they should be "assured that Microsoft takes data protection very seriously and has engaged its internal security and privacy teams in the investigation and resolution of the issue, as well as additional hardening of systems and processes to prevent such recurrence". The company stressed that the content of the emails and attachments weren't compromised.
It transpires that some users have been sent a notification from Microsoft informing them that hackers were able to access the content of emails.
While the aforementioned leaked notification claims the hackers would not have been able to read the content of messages, Microsoft would later admit - after media reports over the weekend - that the intruders could have accessed the contents of messages belonging to a subset of those impacted by the admin account hijacking.
Microsoft operates e-mail services including Outlook, MSN and Hotmail.
"Upon awareness of this issue, Microsoft immediately disabled the compromised credentials, prohibiting their use for any further unauthorized access", the company said.
The firm warned in its e-mail that users might receive more spam and phishing e-mails as a result of the incident, and urged users not to click on links from e-mail addresses they did not recognise.
It seems that a support employee had their login compromised, which meant the hackers were easily able to gain access to the account information. Users should change their passwords out of an abundance of caution.