diff --git a/src/routes/cloudron.js b/src/routes/cloudron.js
index fb7f133f3..04f077c5a 100644
--- a/src/routes/cloudron.js
+++ b/src/routes/cloudron.js
@@ -98,14 +98,13 @@ function passwordResetRequest(req, res, next) {
 function passwordReset(req, res, next) {
     assert.strictEqual(typeof req.body, 'object');
 
-    if (typeof req.body.email !== 'string') return next(new HttpError(400, 'Missing email'));
     if (typeof req.body.resetToken !== 'string') return next(new HttpError(400, 'Missing resetToken'));
     if (typeof req.body.password !== 'string') return next(new HttpError(400, 'Missing password'));
 
-    debug(`passwordReset: for ${req.body.email} with token ${req.body.resetToken}`);
+    debug(`passwordReset: with token ${req.body.resetToken}`);
 
-    users.getByResetToken(req.body.email, req.body.resetToken, function (error, userObject) {
-        if (error) return next(new HttpError(401, 'Invalid email or resetToken'));
+    users.getByResetToken(req.body.resetToken, function (error, userObject) {
+        if (error) return next(new HttpError(401, 'Invalid resetToken'));
 
         if (!userObject.username) return next(new HttpError(401, 'No username set'));
 
diff --git a/src/routes/oauth2.js b/src/routes/oauth2.js
index 1dc3c8349..a14fe5116 100644
--- a/src/routes/oauth2.js
+++ b/src/routes/oauth2.js
@@ -366,9 +366,8 @@ function renderAccountSetupSite(res, req, userObject, error) {
 // -> GET /api/v1/session/account/setup.html
 function accountSetupSite(req, res) {
     if (!req.query.reset_token) return sendError(req, res, 'Missing Reset Token');
-    if (!req.query.email) return sendError(req, res, 'Missing Email');
 
-    users.getByResetToken(req.query.email, req.query.reset_token, function (error, userObject) {
+    users.getByResetToken(req.query.reset_token, function (error, userObject) {
         if (error) return sendError(req, res, 'Invalid Email or Reset Token');
 
         renderAccountSetupSite(res, req, userObject, '');
@@ -387,7 +386,7 @@ function accountSetup(req, res, next) {
 
     debug(`acountSetup: for email ${req.body.email} with token ${req.body.resetToken}`);
 
-    users.getByResetToken(req.body.email, req.body.resetToken, function (error, userObject) {
+    users.getByResetToken(req.body.resetToken, function (error, userObject) {
         if (error) return sendError(req, res, 'Invalid Reset Token');
 
         var data = _.pick(req.body, 'username', 'displayName');
@@ -420,7 +419,7 @@ function passwordResetSite(req, res, next) {
     if (!req.query.email) return next(new HttpError(400, 'Missing email'));
     if (!req.query.reset_token) return next(new HttpError(400, 'Missing reset_token'));
 
-    users.getByResetToken(req.query.email, req.query.reset_token, function (error, user) {
+    users.getByResetToken(req.query.reset_token, function (error, user) {
         if (error) return next(new HttpError(401, 'Invalid email or reset token'));
 
         renderTemplate(res, 'password_reset', {
@@ -443,7 +442,7 @@ function passwordReset(req, res, next) {
 
     debug(`passwordReset: for ${req.body.email} with token ${req.body.resetToken}`);
 
-    users.getByResetToken(req.body.email, req.body.resetToken, function (error, userObject) {
+    users.getByResetToken(req.body.resetToken, function (error, userObject) {
         if (error) return next(new HttpError(401, 'Invalid email or resetToken'));
 
         if (!userObject.username) return next(new HttpError(401, 'No username set'));
diff --git a/src/test/database-test.js b/src/test/database-test.js
index 54d7504e0..f2e6306cb 100644
--- a/src/test/database-test.js
+++ b/src/test/database-test.js
@@ -511,7 +511,7 @@ describe('database', function () {
         });
 
         it('getByResetToken fails for empty resetToken', function (done) {
-            userdb.getByResetToken(USER_0.email, '', function (error, user) {
+            userdb.getByResetToken('', function (error, user) {
                 expect(error).to.be.ok();
                 expect(error.reason).to.be(BoxError.NOT_FOUND);
                 expect(user).to.not.be.ok();
@@ -519,8 +519,8 @@ describe('database', function () {
             });
         });
 
-        it('getByResetToken fails for bad email', function (done) {
-            userdb.getByResetToken(USER_0.email + 'x', USER_0.resetToken, function (error, user) {
+        it('getByResetToken fails for invalid resetToken', function (done) {
+            userdb.getByResetToken('invalid', function (error, user) {
                 expect(error).to.be.ok();
                 expect(error.reason).to.be(BoxError.NOT_FOUND);
                 expect(user).to.not.be.ok();
@@ -529,7 +529,7 @@ describe('database', function () {
         });
 
         it('can get by resetToken', function (done) {
-            userdb.getByResetToken(USER_0.email, USER_0.resetToken, function (error, user) {
+            userdb.getByResetToken(USER_0.resetToken, function (error, user) {
                 expect(error).to.not.be.ok();
                 expect(user).to.eql(USER_0);
                 done();
diff --git a/src/userdb.js b/src/userdb.js
index 120ec7f44..7ccabead4 100644
--- a/src/userdb.js
+++ b/src/userdb.js
@@ -92,12 +92,14 @@ function getOwner(callback) {
     });
 }
 
-function getByResetToken(email, resetToken, callback) {
-    assert.strictEqual(typeof email, 'string');
+function getByResetToken(resetToken, callback) {
     assert.strictEqual(typeof resetToken, 'string');
     assert.strictEqual(typeof callback, 'function');
 
-    database.query('SELECT ' + USERS_FIELDS + ' FROM users WHERE email=? AND resetToken=?', [ email, resetToken ], function (error, result) {
+    // empty reset tokens means it does not exist
+    if (!resetToken) return callback(new BoxError(BoxError.NOT_FOUND, 'User not found'));
+
+    database.query('SELECT ' + USERS_FIELDS + ' FROM users WHERE resetToken=?', [ resetToken ], function (error, result) {
         if (error) return callback(new BoxError(BoxError.DATABASE_ERROR, error));
         if (result.length === 0) return callback(new BoxError(BoxError.NOT_FOUND, 'User not found'));
 
diff --git a/src/users.js b/src/users.js
index 64bf4663a..e40e95ba8 100644
--- a/src/users.js
+++ b/src/users.js
@@ -379,18 +379,14 @@ function get(userId, callback) {
     });
 }
 
-function getByResetToken(email, resetToken, callback) {
-    assert.strictEqual(typeof email, 'string');
+function getByResetToken(resetToken, callback) {
     assert.strictEqual(typeof resetToken, 'string');
     assert.strictEqual(typeof callback, 'function');
 
-    var error = validateEmail(email);
-    if (error) return callback(error);
-
     error = validateToken(resetToken);
     if (error) return callback(error);
 
-    userdb.getByResetToken(email, resetToken, function (error, result) {
+    userdb.getByResetToken(resetToken, function (error, result) {
         if (error) return callback(error);
 
         callback(null, result);