TL;DR: someone managed to add a stolen credit card and shipping information to my #microsoft account, ordered $160 worth of digital xbox gift cards, and redeemed those cards this morning.
There are no suspicious logins on my account, and I have verification and 2FA turned on.
Microsoft not only does not care, they also claim that any unauthorized activity on a user's account is the user's responsibility.
So that's fun.
@DrTCombs I'm very interested in how they were able to add a credit card and billing address to your account without (apparently) being able to sign in.
My main worry for you is if/when the likely stolen credit card is reported your account will be the one that gets suspended. If you have anything important through that account I'd be sure to take some backups if you can.