The case came into notice when the software giant discovered that credentials of a support agent were compromised for its Web mail service which led to unauthorised access into some accounts.
The compromise lasted from Jan 1.to March 28., with Microsoft disabling the compromised credentials as soon as it became aware of the situation.
Microsoft was forced to revise its statement after Motherboard found that the attackers had full access to email content.
"This unauthorized access could have allowed unauthorized parties to access and/or view information related to your email account (such as your e-mail address, folder names, the subject lines of e-mails, and the names of other e-mail addresses you communicate with), but not the content of any e-mails or attachments", Microsoft said (emphasis is ours).
It transpires that some users have been sent a notification from Microsoft informing them that hackers were able to access the content of emails.
Microsoft hasn't divulged the number of accounts that may have been hit by the compromise but claimed that it was only a "limited subset of consumer accounts". It added that limited parts of Outlook users' emails may, as a outcome, have been compromised too.
It turns out that a security breach affecting some users of Microsoft's Outlook.com, Hotmail.com, and MSN.com webmail services is worse than originally thought.
The worry was that even limited information like email subject lines could enable malicious parties to concoct a more convincing phishing scam to aim at the user whose email they have (and they could also employ extra details like the names of friends, gleaned from the email addresses the user has contacted).
According to Microsoft, corporate-level accounts were not affected by the breach. Microsoft has not said how many accounts were affected. Out of an abundance of caution, however, customers whose inboxes were left exposed to the intruder will be getting additional "detection and monitoring" on their email accounts.