Just an update, Microsoft confirms it was a phishing attack, which means that spoofed pages were used to harvest the thousands of email addresses and passwords.

Also, sparbag, nobody (yet) knows who this person is who did the phishing attack, so it is a tad bit early to be coughing up legislations