More accurately, that is not the full story. As far as we know, Microsoft did not actually lie to the users who received that specific email, in which the company admitted that email addresses, folder names, subject lines, and email recipient addresses could have all been exposed. But for a smaller subset of customers, the breach is even worse. That information was not included in that specific email.
The folks at Motherboard received a tip from someone who saw the attack in action and provided the site with a screenshot showing that actual email contents were exposed as well. That tip came in before Microsoft issued its initial statement. When shown the screenshot, Microsoft apparently confirmed that hackers did in fact gain access to the actual contents of emails, though not everyone's.
According to Microsoft, out of the small number of users who are affected by this, around 6 percent could have had their email contents exposed as well. Those users received a different email that outlined the expanded scope of the breach.
"We addressed this scheme, which affected a limited subset of consumer accounts, by disabling the compromised credentials and blocking the perpetrators’ access," Microsoft said in a statement.
Microsoft further stated that the limited subset of affected accounts only included consumer accounts, and not paid ones for enterprise customers. If true, businesses need not worry about sensitive information being leaked, though it comes as little consolation to non-paid users who trusted Microsoft not to bungle their email.
The breach itself is concerning, but what is also worrying is that Microsoft did not fess up to the full extent of the breach in one of the emails. Sure, it is an embarrassing situation for Microsoft, but this is not the way to handle such things.