diff --git a/apps/settings/lib/Controller/AuthSettingsController.php b/apps/settings/lib/Controller/AuthSettingsController.php
index 7248127fd6b7d40a4f6fe258ffd97e502612b6b9..7f6d74e5fc76c42a8f67ca05acff4f973a0ccc90 100644
--- a/apps/settings/lib/Controller/AuthSettingsController.php
+++ b/apps/settings/lib/Controller/AuthSettingsController.php
@@ -289,7 +289,13 @@ class AuthSettingsController extends Controller {
 	 * @throws \OC\Authentication\Exceptions\ExpiredTokenException
 	 */
 	public function wipe(int $id): JSONResponse {
-		if (!$this->remoteWipe->markTokenForWipe($id)) {
+		try {
+			$token = $this->findTokenByIdAndUser($id);
+		} catch (InvalidTokenException $e) {
+			return new JSONResponse([], Http::STATUS_NOT_FOUND);
+		}
+
+		if (!$this->remoteWipe->markTokenForWipe($token)) {
 			return new JSONResponse([], Http::STATUS_BAD_REQUEST);
 		}
 
diff --git a/apps/settings/tests/Controller/AuthSettingsControllerTest.php b/apps/settings/tests/Controller/AuthSettingsControllerTest.php
index 923a63d706c6b6429242a424833dc98b6ab92a31..1d24a90794f1c57c5ed62e8b2d943ee3bed43e26 100644
--- a/apps/settings/tests/Controller/AuthSettingsControllerTest.php
+++ b/apps/settings/tests/Controller/AuthSettingsControllerTest.php
@@ -36,6 +36,7 @@ use OC\Authentication\Exceptions\InvalidTokenException;
 use OC\Authentication\Token\DefaultToken;
 use OC\Authentication\Token\IProvider;
 use OC\Authentication\Token\IToken;
+use OC\Authentication\Token\IWipeableToken;
 use OC\Authentication\Token\RemoteWipe;
 use OCA\Settings\Controller\AuthSettingsController;
 use OCP\Activity\IEvent;
@@ -428,9 +429,15 @@ class AuthSettingsControllerTest extends TestCase {
 	}
 
 	public function testRemoteWipeNotSuccessful(): void {
+		$token = $this->createMock(IToken::class);
+		$token->expects($this->once())
+			->method('getUID')
+			->willReturn($this->uid);
+		$this->mockGetTokenById(123, $token);
+
 		$this->remoteWipe->expects($this->once())
 			->method('markTokenForWipe')
-			->with(123)
+			->with($token)
 			->willReturn(false);
 
 		$response = $this->controller->wipe(123);
@@ -439,10 +446,32 @@ class AuthSettingsControllerTest extends TestCase {
 		$this->assertEquals($expected, $response);
 	}
 
+	public function testRemoteWipeWrongUser(): void {
+		$token = $this->createMock(IToken::class);
+		$token->expects($this->once())
+			->method('getUID')
+			->willReturn('definetly-not-' . $this->uid);
+		$this->mockGetTokenById(123, $token);
+
+		$this->remoteWipe->expects($this->never())
+			->method('markTokenForWipe');
+
+		$response = $this->controller->wipe(123);
+
+		$expected = new JSONResponse([], Http::STATUS_NOT_FOUND);
+		$this->assertEquals($expected, $response);
+	}
+
 	public function testRemoteWipeSuccessful(): void {
+		$token = $this->createMock(IWipeableToken::class);
+		$token->expects($this->once())
+			->method('getUID')
+			->willReturn($this->uid);
+		$this->mockGetTokenById(123, $token);
+
 		$this->remoteWipe->expects($this->once())
 			->method('markTokenForWipe')
-			->with(123)
+			->with($token)
 			->willReturn(true);
 
 		$response = $this->controller->wipe(123);
diff --git a/lib/private/Authentication/Token/RemoteWipe.php b/lib/private/Authentication/Token/RemoteWipe.php
index 2285ccd2cd8e3be3ac0965fc328309bb02b15c26..e0fbf0734f5c1494977139d3540b7b5cb96eb8c0 100644
--- a/lib/private/Authentication/Token/RemoteWipe.php
+++ b/lib/private/Authentication/Token/RemoteWipe.php
@@ -57,18 +57,14 @@ class RemoteWipe {
 	}
 
 	/**
-	 * @param int $id
-	 *
+	 * @param IToken $token
 	 * @return bool
 	 *
 	 * @throws InvalidTokenException
 	 * @throws WipeTokenException
-	 * @throws ExpiredTokenException
 	 */
-	public function markTokenForWipe(int $id): bool {
-		$token = $this->tokenProvider->getTokenById($id);
-
-		if (!($token instanceof IWipeableToken)) {
+	public function markTokenForWipe(IToken $token): bool {
+		if (!$token instanceof IWipeableToken) {
 			return false;
 		}
 
diff --git a/tests/lib/Authentication/Token/RemoteWipeTest.php b/tests/lib/Authentication/Token/RemoteWipeTest.php
index 2ca49d3615912754bfdcd11b229774a0e40c00c4..2d887a0a87038a3396652a08f2c95518b1a006c1 100644
--- a/tests/lib/Authentication/Token/RemoteWipeTest.php
+++ b/tests/lib/Authentication/Token/RemoteWipeTest.php
@@ -67,30 +67,20 @@ class RemoteWipeTest extends TestCase {
 
 	public function testMarkNonWipableTokenForWipe(): void {
 		$token = $this->createMock(IToken::class);
-		$this->tokenProvider->expects($this->once())
-			->method('getTokenById')
-			->with(123)
-			->willReturn($token);
-
-		$result = $this->remoteWipe->markTokenForWipe(123);
-
+		$result = $this->remoteWipe->markTokenForWipe($token);
 		$this->assertFalse($result);
 	}
 
 	public function testMarkTokenForWipe(): void {
 		$token = $this->createMock(IWipeableToken::class);
-		$this->tokenProvider->expects($this->once())
-			->method('getTokenById')
-			->with(123)
-			->willReturn($token);
 		$token->expects($this->once())
 			->method('wipe');
+
 		$this->tokenProvider->expects($this->once())
 			->method('updateToken')
 			->with($token);
 
-		$result = $this->remoteWipe->markTokenForWipe(123);
-
+		$result = $this->remoteWipe->markTokenForWipe($token);
 		$this->assertTrue($result);
 	}