Microsoft, which confirmed this late on Monday, Oct 5, said that the passwords have been removed from the website exposing them.
The company said it would block access to the accounts that were exposed and work with customers to reclaim access to them.
Microsoft did not divulge details on how many users were affected. However, some media reports suggest that passwords of more than 10,000 accounts were exposed.
Phishing is a method of hacking where a fraudster would get personal details of an account holder by posing as a credible body such as a bank or IT department.