A Hacker went into my outlook account and installed a lenovo data share app onto the permissions and deleted traces of it, even after countless password resets they are still able to get access to my online accounts as they can see notifications from my outlook inbox for the security codes they need. how do i get this out of my account and how can i do a complete flush of this app? all security settings in windows are not helpful.
Hi AndyGrave — Windows security settings won’t remove this if the attacker granted an account-level Outlook/Microsoft permission. You need to revoke it from the Microsoft account side, then secure the mailbox so they can’t see security-code emails.
Immediate priority: stop them seeing your codes
Use a known-clean device if possible, such as a different PC or phone you trust.
Sign in to your Microsoft account security page.
Change the password again, but use a new, unique password not used anywhere else.
Turn on two-step verification and use Microsoft Authenticator or another authenticator app, not email-based codes if your Outlook inbox may be compromised. Microsoft recommends two-step verification because it requires both your password and a second verification method.
Remove any recovery email, phone number, or authenticator method you do not recognize from Advanced security options. Microsoft notes you should add safe replacement security info first, and removing all security info can trigger a 30-day restricted state.
Remove the suspicious Lenovo/Data Share permission
Go to your Microsoft account dashboard.
Open Privacy or Security settings.
Look for Apps and services, App permissions, Apps that can access your account, or similar wording.
Remove anything you do not recognize, especially anything named Lenovo Data Share, Data Share, Lenovo, or an app with mail/profile permissions.
If you are unsure about an app, remove it anyway. You can re-authorize legitimate apps later.
Check Recent activity for entries like “Permission given to an application”, browser sign-ins, IMAP access, or unfamiliar locations. Microsoft’s Recent activity page can show how the account was accessed, including browser, phone, IMAP, or application permission activity.
Force all existing sessions out
Go to Advanced security options for your Microsoft account.
Use Sign out everywhere.
Wait up to 24 hours, because Microsoft says sign-out from browsers and apps can take that long.
After that, sign back in only on trusted devices.
Check Outlook for hidden forwarding/rules
Attackers often keep access by forwarding or hiding security emails.
Open Outlook.com in a browser.
Go to Settings.
Go to Mail > Forwarding.
Turn forwarding off unless you personally use it. Microsoft documents that Outlook.com can automatically forward mail from this area.
Go to Mail > Rules.
Delete any rule that forwards, deletes, archives, marks read, or moves messages from Microsoft, banks, stores, gaming accounts, or password reset emails.
Check Junk Email, Deleted Items, Archive, and any odd folders for moved security messages.
Check Sweep rules if available, because Outlook can automatically move future messages using Sweep/rules.
Secure your other online accounts
For every account that uses this Outlook address, change the password from a clean device.
Change the recovery email away from this Outlook inbox temporarily if possible.
Turn on authenticator-app MFA for each account.
Review each account’s active sessions and sign out all devices.
Prioritize banking, shopping, PayPal, Amazon, Apple/Google, social media, gaming, and password managers.
Check whether your PC is still compromised
Before trusting your Windows PC again:
Disconnect from the internet if you see suspicious activity continuing.
From Windows Security, run a Full scan.
Then run Microsoft Defender Offline scan.
Remove unknown browser extensions from Edge/Chrome/Firefox.
Uninstall unknown remote-access tools, sync tools, or “data share” utilities from Settings > Apps.
Check startup apps in Task Manager > Startup apps.
If you still believe the machine is compromised, back up personal files only, then do a clean Windows reinstall from a Microsoft USB installer. Do not back up programs, scripts, browser extensions, or unknown installers.
Important warning
If they can still access your accounts after password resets, one of these is likely still true:
They still have an authorized app/OAuth permission.
They have an active trusted session that was not signed out.
They control one of your recovery methods.
They have a mail forwarding rule or hidden inbox rule.
Your PC/browser/phone has malware, a malicious extension, or saved-session theft.
Another account, such as Gmail, phone carrier, or authenticator backup, is compromised.
If you cannot remove it
Contact Microsoft account support using the Microsoft account recovery/help flow.
Tell them you are seeing unauthorized third-party app permissions and continued access after password resets.
If financial accounts were accessed, contact the providers immediately.
If identity theft or money loss is involved, consider filing a report with your local authorities or the FTC at IdentityTheft.gov.
The key step is this: do the cleanup from a clean device, revoke app permissions, remove forwarding/rules, replace recovery methods, then sign out everywhere. Changing the password alone will not help if an app permission or active session is still trusted.
