How can Google know that a Microsoft e-mail account is "not safe"?

Recently, I was forced to log in to my Gmail account with a browser to keep using it.

Then, Gmail noted that the "alternate e-mail address", my 1999 Hotmail one, which I had long ago associated with my Gmail account (in 2004), has been "detected as not secure". I forget the exact phrasing. Something about it being detected as not secure.

I’m 100% sure that I have never used the password for that Hotmail account anywhere else, and that it has not leaked, and that the account was not compromised.

However, I was still locked out of it, since approx. 2014, when Microsoft started demanding that you enter a phone number to access the account, refusing to let me dismiss it. So I was (and remain) "essentially" locked out of it.

Is it possible that, somehow, Gmail could detect this from a third-party service? What else could they mean by "detected as not secure"? Some guesses:

1. Maybe they have some means of checking the age of the account, and just assume that since it was registered in 1999, it must be abandoned?
2. Maybe it’s listed in some kind of leak database, even though any password there would not be usable to log in since I never used the password elsewhere and have not been so careless as to leak it.
3. They are just making random nonsense up because it’s a competitor’s address.