diff --git a/modules/user/user.module b/modules/user/user.module
index 9637a71..0358836 100644
--- a/modules/user/user.module
+++ b/modules/user/user.module
@@ -2422,8 +2422,9 @@ function user_pass_rehash($password, $timestamp, $login, $uid) {
       return drupal_random_key();
     }
   }
+  $mail = db_query('SELECT mail from {users} WHERE uid = :uid', array(':uid' => $uid))->fetchField();
 
-  return drupal_hmac_base64($timestamp . $login . $uid, drupal_get_hash_salt() . $password);
+  return drupal_hmac_base64($timestamp . $login . $uid . $mail, drupal_get_hash_salt() . $password);
 }
 
 /**
diff --git a/modules/user/user.test b/modules/user/user.test
index 07be4c2..b3d7b15 100644
--- a/modules/user/user.test
+++ b/modules/user/user.test
@@ -587,6 +587,18 @@ class UserPasswordResetTestCase extends DrupalWebTestCase {
     $this->assertNoText('You have tried to use a one-time login link that has either been used or is no longer valid. Please request a new one using the form below.');
   }
 
+  /**
+   * Make sure that reset URLs are invalidated when the user changes their email.
+   */
+  function testResetInvalidation() {
+    $account = $this->drupalCreateUser();
+
+    $original_reset_url = user_pass_reset_url($account);
+    user_save($account, array('mail' => '1' . $account->mail));
+    $this->drupalGet($original_reset_url);
+    $this->assertText('You have tried to use a one-time login link that has either been used or is no longer valid. Please request a new one using the form below.');
+  }
+
 }
 
 /**