It's worse than that, he's dead Jim, dead Jim, dead Jim
(yes, you recognised it correctly :) ).
Just in case you didn't pick up on the gravity of this problem, remember that Microsoft uses the combination of email address and password as SSO - one ring to rule them all, so to speak. Once you have that combination you have in principle the keys to the kingdom and it's been handing those off to the well informed for five years now.
Christ what a mess - after this has been patched it's best to have just about everyone who uses Microsoft products change their password. And no, don't use that app idea, that smells too much like just a new way to track people.