diff --git a/store/account_test.go b/store/account_test.go
index 7170acb..3eceb0f 100644
--- a/store/account_test.go
+++ b/store/account_test.go
@@ -440,9 +440,9 @@ func TestUpdateVerifyAccountSuccess(t *testing.T) {
 	defer StoreTestCleanup(sqliteTmpFile)
 
 	verifyTokenString := auth.VerifyTokenString("abcd1234abcd1234abcd1234abcd1234")
-	time1 := time.Time{}
+	verifyExpiration := time.Now().Add(time.Second * 10).UTC() // expires in one second
 
-	_, email, password, createdSeed := makeTestUser(t, &s, &verifyTokenString, &time1)
+	_, email, password, createdSeed := makeTestUser(t, &s, &verifyTokenString, &verifyExpiration)
 
 	// we're not testing normalization features so we'll just use this here
 	normEmail := email.Normalize()
@@ -462,3 +462,23 @@ func TestStoreVerifyAccountTokenNotExists(t *testing.T) {
 		t.Fatalf(`VerifyAccount error for nonexistant token: wanted "%+v", got "%+v."`, ErrNoTokenForUser, err)
 	}
 }
+
+// Test VerifyAccount for expired token
+func TestUpdateVerifyAccountTokenExpired(t *testing.T) {
+	s, sqliteTmpFile := StoreTestInit(t)
+	defer StoreTestCleanup(sqliteTmpFile)
+
+	verifyTokenString := auth.VerifyTokenString("abcd1234abcd1234abcd1234abcd1234")
+	verifyExpiration := time.Now().Add(time.Second * (-1)).UTC() // expired one second ago
+
+	_, email, password, createdSeed := makeTestUser(t, &s, &verifyTokenString, &verifyExpiration)
+
+	// we're not testing normalization features so we'll just use this here
+	normEmail := email.Normalize()
+
+	if err := s.VerifyAccount(verifyTokenString); err != ErrNoTokenForUser {
+		t.Fatalf(`VerifyAccount error for expired token: wanted "%+v", got "%+v."`, ErrNoTokenForUser, err)
+	}
+
+	expectAccountMatch(t, &s, normEmail, email, password, createdSeed, &verifyTokenString, &verifyExpiration, time.Now().UTC(), time.Now().UTC())
+}
diff --git a/store/auth_test.go b/store/auth_test.go
index 8b22de2..7d89ca7 100644
--- a/store/auth_test.go
+++ b/store/auth_test.go
@@ -310,7 +310,7 @@ func TestStoreGetToken(t *testing.T) {
 	}
 
 	// Update the token to be expired
-	expirationOld := time.Now().Add(time.Second * (-1))
+	expirationOld := time.Now().Add(time.Second * (-1)).UTC()
 	if err := s.updateToken(&authToken, expirationOld); err != nil {
 		t.Fatalf("Unexpected error in updateToken: %+v", err)
 	}
diff --git a/store/store.go b/store/store.go
index 80c9eb0..4f105ae 100644
--- a/store/store.go
+++ b/store/store.go
@@ -464,9 +464,11 @@ func (s *Store) UpdateVerifyTokenString(email auth.Email, verifyTokenString auth
 }
 
 func (s *Store) VerifyAccount(verifyTokenString auth.VerifyTokenString) (err error) {
+	expirationCutoff := time.Now().UTC()
+
 	res, err := s.db.Exec(
-		"UPDATE accounts SET verify_token=null, verify_expiration=null, updated=datetime('now') WHERE verify_token=?",
-		verifyTokenString,
+		"UPDATE accounts SET verify_token=null, verify_expiration=null, updated=datetime('now') WHERE verify_token=? AND verify_expiration>?",
+		verifyTokenString, expirationCutoff,
 	)
 	if err != nil {
 		return