And you should be activating it
Microsoft's multi-authentication (hereafter referred to as Multi-Auth) is designed to make this a less likely occurrence. The idea is that you set your account up so that in order to access the account via the web, or an application - the sign-on has to be approved by you on a separate device. Once you sign on once - the approval can be remembered - or you can tell it to forget that approval and once you sign off a new approval needs to be generated to let someone back in. This allows you to more safely access your account from a variety of places.
In order to do this you need one of the following secondary authentication methods:
- A smartphone with a multi-auth application on it
- A phone of any kind that can accept text messages
If you don't have a smartphone or you don't want to install the app, you can instead have Microsoft text you a message with a code you'll need to type into the browser to log in.
In order to use Multi-Auth, my recommendation is that you take a further step - make sure your phone is loaded with activated software that lets you wipe it remotely. That way if someone gets ahold of your phone and figures out your lock screen password you can still wipe the phone and prevent access to your account. Be sure that you also have a "back door" to allow you into your account if your phone is lost. In most cases when you turn on multi-auth the system will provide you with a secondary password to access your account. Make sure to save that in a safe place.
Now multi-auth does have it's drawbacks. Some apps won't support it. In the "Live" version of multi-auth (the one used with OneDrive, Xbox, and Hotmail) xbox365, Microsoft's online account settings, and other capabilities don't support multi-auth (though that number is shrinking as things are re-factored). So you have to create a one-time password to be used just with that app. Generally this will be a long string of characters which you type in instead of your normal password. You can deactivate one-time passwords individually, thus if somehow one of your accounts is compromised, the device is stolen, or you just don't need it any more you can deactivate that one time password. This involves extra steps - you need to go to your account on a web page, generate the (usually long) one time password, then type it into the add-on app or device. The question is though - would you rather go through a little extra work on initial setup? Or would you rather deal with the potentially bad consequences of someone compromising your password?
It's also not perfect. In recent months it's gotten better, but in some cases on some apps I've had to re-generate and re-enter one-time passwords (you can't look them up again once you've generated them, unless you keep them in a document offline - which I do not recommend). When moving from one phone to another you have to re-connect to a new version of the multi-auth app (a pain but only takes a few minutes of setup time).
Many other mail and authentication systems are going to multi-auth including gmail and even the
king of being compromised - yahoo. My recommendation is to investigate multi-auth and if you feel comfortable with the steps involved consider activating it on all critical accounts that are linked to cloud mail or files.