It’s not clear how many accounts were involved, but Microsoft is said to have made URLs and metadata available so admins can investigate.
Source: Naked Security Sophos New feed
Office 365 exposed some internal search results to other companies