diff --git a/src/api/core/accounts.rs b/src/api/core/accounts.rs
index a0fa60e9..ec2f30b6 100644
--- a/src/api/core/accounts.rs
+++ b/src/api/core/accounts.rs
@@ -262,6 +262,10 @@ async fn post_set_password(data: Json<SetPasswordData>, headers: Headers, mut co
     let data: SetPasswordData = data.into_inner();
     let mut user = headers.user;
 
+    if user.private_key.is_some() {
+        err!("Account already intialized cannot set password")
+    }
+
     // Check against the password hint setting here so if it fails, the user
     // can retry without losing their invitation below.
     let password_hint = clean_password_hint(&data.master_password_hint);