diff --git a/nyaa/routes.py b/nyaa/routes.py
index dbf8123..30b3135 100644
--- a/nyaa/routes.py
+++ b/nyaa/routes.py
@@ -403,6 +403,11 @@ def profile():
         new_password = form.new_password.data
 
         if new_email:
+            # enforce password check on email change too
+            if form.current_password.data != user.password_hash:
+                flask.flash(flask.Markup(
+                    '<strong>Email change failed!</strong> Incorrect password.'), 'danger')
+                return flask.redirect('/profile')
             user.email = form.email.data
 
         if new_password:
@@ -624,4 +629,4 @@ def site_help():
 @app.route('/api/upload', methods = ['POST'])
 def api_upload():
     api_response = api_handler.api_upload(flask.request)
-    return api_response
\ No newline at end of file
+    return api_response