If you are using Windows 8.1, Windows Phone 8.1, or Xbox One; the answer to the title is likely a resounding “yes”. The real question is whether you even knew about it and whether you consent to it now that you do.
You’ve given your consent to and acknowledged understanding of the Windows 8.1 Privacy Statement during installation or first start-up. Hidden away in the middle of the 26 700 word long document is the following:
A “Microsoft account” is required to download free and paid apps, access documents and files saved in OneDrive, use Xbox services (on Windows too), and so on. This is a single sign-in feature Microsoft have been pushing for years. During the first-run start-up of a new computer, Microsoft makes it much easier to sign-up for or log-in to a Microsoft account than it is to create and login with a local account. It takes a fair bit of clicking around to discover the hidden button to create a local account. Users are thus encouraged to sign-in with this account type. It was first used to login to your local computer in Windows 8.
If you’ve logged in to the Netflix or Twitter apps, Microsoft now has those passwords. If you’ve logged in to and saved your bank and Facebook passwords in Internet Explorer, Microsoft now has those passwords too.
The convenience factor of the feature is very convincing. When getting a new computer, all apps would be redownloaded and retain their settings and even their login state. Who wants to spend time entering passwords on a phone or gaming console when it could all be setup automatically?
This behavior is enabled by default. Users can opt out of this feature by disabling the setting PC Settings: OneDrive: Sync settings: Other settings: Passwords. Even after disabling this setting, any non-synced settings — including passwords — will still be backed up to Microsoft’s servers. You also have to disable the PC Settings: OneDrive: Sync settings: Back up settings: Back up your settings for this PC setting. Both these setting will be reset and enabled by default if you upgrade from Windows 8 to 8.1. This again goes back to whether you trust Microsoft to do the right thing, to choose the right default, or not. Signing on on a new device will also turn everything back on by default.
Considering how Microsoft arbitrarily decides its in the user’s best interest to change their settings back to the default: you can’t actually have any kind of sensitive information on your computer in a Windows account that uses a Microsoft account for login. To preserve privacy, and for added security, I use more than one account on my computers.