An unknown number of Microsoft Corp. email account users, including those using Outlook and Hotmail, may have had details of emails stolen in a hack that lasted from Jan. 1 to March 28.

A hacker or group of hackers gained access to a customer support account for Microsoft, from which they then got access to information on customer accounts, including whom they communicated with.

In confirming the hack over the weekend, Microsoft claimed that the attackers accessed an affected user’s e-mail address, folder names, the subject lines of e-mails, and the names of other e-mail addresses the user communicated with — “but not the content of any e-mails or attachments.” That last was quickly disputed, with Microsoft later admitting to Motherboard that the hackers had gained access to the content of some customers’ emails, about 6 percent of those affected.

Why Microsoft would first deny that the content of victims’ emails had been accessed, then when confronted with evidence to the contrary change its statement, was not immediately clear. The hacks only affected consumer accounts, not paid enterprise accounts thanks to the limited access level of the breached customer service account.

In an email to affected users, Microsoft noted that it “regrets any inconvenience caused by this issue,” and that they should be “assured that Microsoft takes data protection very seriously and has engaged its internal security and privacy teams in the investigation and resolution of the issue, as well as additional hardening of systems and processes to prevent such recurrence.”

That protection includes an audit of customer service accounts to make sure that no further are compromised, particularly given that the hackers remained undetected for three months.

Although the data breach is a problem for Microsoft, the next challenge will likely be the involvement of the European Union. Without providing numbers of those affected, it’s known that at least some of them were in the European Union, meaning that the data breach will fall under the purview of the EU General Data Protection Regulation. Because of that, an EU investigation is likely to follow into whether Microsoft complied with the regulation and whether it did its best to prevent the hack.

Image: Microsoft