A critical bug in Microsoft left 400M accounts exposed