Either it was one hell of a phishing scheme, or MS is lying, and it was really a hack... For people to actually give their login credentials(instead of just personal info), it would have to be pretty convincing, and would've had to have gone on for quite some time without getting caught, otherwise it would be marked as spam...
...But since they're saying "probably phishing", that means "probably a hack", otherwise, if it were phishing, they would've identified the phishing email and site already... Getme?