diff --git a/keyserver/src/deleters/account-deleters.js b/keyserver/src/deleters/account-deleters.js
--- a/keyserver/src/deleters/account-deleters.js
+++ b/keyserver/src/deleters/account-deleters.js
@@ -35,7 +35,13 @@
       throw new ServerError('internal_error');
     }
     const row = result[0];
-    if (!bcrypt.compareSync(request.password, row.hash)) {
+    const requestPasswordConsistentWithDB = !!row.hash === !!request.password;
+    const shouldValidatePassword = !!row.hash;
+    if (
+      !requestPasswordConsistentWithDB ||
+      (shouldValidatePassword &&
+        !bcrypt.compareSync(request.password, row.hash))
+    ) {
       throw new ServerError('invalid_credentials');
     }
   }