diff --git a/src/Auth.php b/src/Auth.php
index 89e4cc2..a2b1158 100644
--- a/src/Auth.php
+++ b/src/Auth.php
@@ -550,6 +550,18 @@ final class Auth extends UserManager {
 		if (!empty($confirmationData)) {
 			if (password_verify($token, $confirmationData['token'])) {
 				if ($confirmationData['expires'] >= time()) {
+					// invalidate any potential outstanding password reset requests
+					try {
+						$this->db->delete(
+							$this->dbTablePrefix . 'users_resets',
+							[ 'user' => $confirmationData['user_id'] ]
+						);
+					}
+					catch (Error $e) {
+						throw new DatabaseError();
+					}
+
+					// mark the email address as verified (and possibly update it to the new address given)
 					try {
 						$this->db->update(
 							$this->dbTablePrefix . 'users',