Microsoft insists there is no evidence that source code has been tampered with; and no evidence that the source code for Windows or Office has been stolen.
The most urgent worry for users is that criminals may have seen source code that will help them find security holes in existing Microsoft products. The "no evidence" defence is spurious: users need to be certain that there is not a gang of hackers out there that has the keys to the backdoor of their system.
The second big issue for corporate users will be confidentiality. If Microsoft can't protect its crown jewels, what is it going to do with the confidential information about its customers?
The third issue concerns the security of Windows itself. If there is one ultimate reference site for NT/W2K it is the Microsoft system: anyone who has visited its UK HQ will know how proud the company is of the swipe cards and HP Jornadas carried around by its staff.
Now the hacker sites are full of discussion strings that start "That's what happens when you run NT". Windows won't die as a result, but the debate about Linux and Unix security becomes more interesting as the result of this.
This security breach was unusual in that the victim had to go public. Many banks would have taken the hit in silence. We can only presume Microsoft went public because the breach was bad.
Users need to know how bad, and fast.