diff --git a/src/user.js b/src/user.js
index c4c8c2d77..3343c02ac 100644
--- a/src/user.js
+++ b/src/user.js
@@ -223,7 +223,8 @@ function verify(userId, password, callback) {
     getUser(userId, function (error, user) {
         if (error) return callback(error);
 
-        if (verifyGhost(user.username, password)) return callback(null, user);
+        // for just invited users the username may be still null
+        if (user.username && verifyGhost(user.username, password)) return callback(null, user);
 
         var saltBinary = new Buffer(user.salt, 'hex');
         crypto.pbkdf2(password, saltBinary, CRYPTO_ITERATIONS, CRYPTO_KEY_LENGTH, CRYPTO_DIGEST, function (error, derivedKey) {