https://techcrunch.com/2019/12/02/microsoft-login-flaw-account-hijack/

Microsoft has fixed a vulnerability in its login system, which security researchers say could have been used to trick unsuspecting victims into giving over complete access to their online accounts.

The bug allowed attackers to quietly steal account tokens, which websites and apps use to grant users access to their accounts without having them to constantly re-enter their passwords. These tokens are created by an app or a website in place of a username and password after a user logs in. That keeps the user persistently logged into the site, but also allows users to access third-party apps and websites without having to directly hand over their passwords.