The email sent out to users by Microsoft notes email addresses, folder names, subject lines of emails and email recipient addresses may have been exposed, but likely not the content of the emails themselves. The Microsoft Privacy Communication team’s email also notes that the security breach occurred very recently, between January 1, 2019 and March 28, 2019.
The full context of this warning email can be seen here. Hat tip to reddit users Keats852 for posting the copy on imgur…
"We addressed this scheme, which affected a limited subset of consumer accounts, by disabling the compromised credentials and blocking the perpetrators' access." Microsoft notes with respect to its initial corrective action response.
Further, the company reiterates its commitment to security and user data protection, noting "please be assured that Microsoft takes data protection very seriously and has engaged its internal security and privacy teams in the investigation and resolution of the issue, as well as. additional hardening of systems and processes to prevent such recurrence."
That may be little solace for users who now have to deal with the realities of yet another security breach, though Microsoft notes the compromise involved only a “limited subset of accounts.” One would think it would not be easy to assess the scope of this breach, given that the company’s own customer support portal was the target threat vector that was compromised. That simple fact alone certainly doesn’t instill confidence.