@mhoye (a) It's not your data, it's theirs; so, it is not secured by your password/credentials (b) they save your (public) username in a cookie and look up the number of notifications based on that.

They do not consider the *number* of notifications worth hiding behind your password. They probably do hide the content of the notifications behind your password, tho that's not technically required (it's unlikely to actually be encrypted by a key generated/unlocked by your password), but it is "expected" behavior.

MS doesn't care about you.