It’s not certain how many people were affected, or where the largest group of victims was. Some of them were likely in the European Union, though, as Microsoft is offering contact info for its data protection officer. Enterprise customers also weren’t involved. The tech firm’s email offerings include everything from modern Outlook.com accounts through to legacy Hotmail and MSN addresses.

This is unlikely to be as far-reaching as the breach that touched on more than 772 million email addresses, but it’s still a substantial violation of privacy. The attackers could theoretically use this not just for spam, but to piece together details of users’ personal lives and rely on that for fraud and identity theft.