diff --git a/packages/backend/src/routers/change_username.js b/packages/backend/src/routers/change_username.js
index 1a55d0ac..5bbb4919 100644
--- a/packages/backend/src/routers/change_username.js
+++ b/packages/backend/src/routers/change_username.js
@@ -54,6 +54,11 @@ module.exports = eggspress('/change_username', {
     if(await username_exists(req.body.new_username))
         throw APIError.create('username_already_in_use', null, { username: req.body.new_username });
 
+    const svc_edgeRateLimit = req.services.get('edge-rate-limit');
+    if ( ! svc_edgeRateLimit.check('change-email-start') ) {
+        return res.status(429).send('Too many requests.');
+    }
+
     const db = Context.get('services').get('database').get(DB_WRITE, 'auth');
 
     // Has the user already changed their username twice this month?
diff --git a/packages/backend/src/services/abuse-prevention/EdgeRateLimitService.js b/packages/backend/src/services/abuse-prevention/EdgeRateLimitService.js
index 32e22947..a4fbd691 100644
--- a/packages/backend/src/services/abuse-prevention/EdgeRateLimitService.js
+++ b/packages/backend/src/services/abuse-prevention/EdgeRateLimitService.js
@@ -8,7 +8,7 @@ class EdgeRateLimitService extends BaseService {
     _construct () {
         this.scopes = {
             ['login']: {
-                limit: 3,
+                limit: 10,
                 window: 15 * MINUTE,
             },
             ['signup']: {