diff --git a/service/src/main/java/org/whispersystems/textsecuregcm/controllers/AccountController.java b/service/src/main/java/org/whispersystems/textsecuregcm/controllers/AccountController.java
index f352cc4d5..262c958f4 100644
--- a/service/src/main/java/org/whispersystems/textsecuregcm/controllers/AccountController.java
+++ b/service/src/main/java/org/whispersystems/textsecuregcm/controllers/AccountController.java
@@ -540,7 +540,7 @@ public class AccountController {
 
     username = username.toLowerCase();
 
-    if (!username.matches("^[a-z0-9_]+$")) {
+    if (!username.matches("^[a-z_][a-z0-9_]+$")) {
       return Response.status(Response.Status.BAD_REQUEST).build();
     }
 
diff --git a/service/src/test/java/org/whispersystems/textsecuregcm/tests/controllers/AccountControllerTest.java b/service/src/test/java/org/whispersystems/textsecuregcm/tests/controllers/AccountControllerTest.java
index bfca6aed6..7f07e3472 100644
--- a/service/src/test/java/org/whispersystems/textsecuregcm/tests/controllers/AccountControllerTest.java
+++ b/service/src/test/java/org/whispersystems/textsecuregcm/tests/controllers/AccountControllerTest.java
@@ -864,6 +864,18 @@ public class AccountControllerTest {
     assertThat(response.getStatus()).isEqualTo(400);
   }
 
+  @Test
+  public void testSetInvalidPrefixUsername() {
+    Response response =
+        resources.getJerseyTest()
+                 .target("/v1/accounts/username/0n00bkiller")
+                 .request()
+                 .header("Authorization", AuthHelper.getAuthHeader(AuthHelper.VALID_NUMBER, AuthHelper.VALID_PASSWORD))
+                 .put(Entity.text(""));
+
+    assertThat(response.getStatus()).isEqualTo(400);
+  }
+
   @Test
   public void testSetUsernameBadAuth() {
     Response response =