Unsuccessful Sign-in - Request Denied in App - Password compromised?

nicholas kean 45 Reputation points

Good day!

I recently had a Microsoft Auth request come to my phone, one of the ones with the 3 numbers to choose from. This did not come from me, and after checking on the security page, it was not a familiar IP or location (it was out of my country). The only session activity it gives is
"Session activity
Request denied in app."

My question is, does that mean for a fact that my password has been compromised? I recently changed it to a new, strong, unique one, so I doubt that to be the case, but I cannot find any resources stating ways to trigger the auth without having a password entered.

Microsoft Authenticator
Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation.
5,105 questions
{count} votes

4 answers

Sort by: Most helpful
  1. Jordan Millama 1,356 Reputation points

    No, does not necessarily mean your password was compromised, but that your email address was at least known/obtained. You can check if your email was a part of any data breaches, many password manager apps have this as a paid feature or you can go to websites such as https://haveibeenpwned.com/

    1 person found this answer helpful.

  2. Robert Koharchik 25 Reputation points

    I too am curious about this, and the same happened to me. How did my phone receive the request without a password being provided?

    1 person found this answer helpful.
    0 comments No comments

  3. Jean-Dominique Nguele 5 Reputation points

    The same happened to me a few weeks back so I changed my password but it happened again today so I'm curious as to how this occurred. Is there some vulnerability that allows hackers to access our accounts without using a password at all?

    1 person found this answer helpful.

  4. edunaka 0 Reputation points

    This thing is happening to me too, from time to time, no matter if Ichange the password (long and complex). My understanding is the the request would be sent to my phone only after providing the right password.