diff --git a/CHANGELOG.md b/CHANGELOG.md
index b1b052008fb..f9b0f914902 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,9 @@
 ## Releases
 
-* Unreleased
+* v2.3.5 (6th September 2018)
+    - Security:
+        - Update user object before attempting sign-in,
+          to prevent leak of user account phone number.
 
 * v2.3.4 (7th June 2018)
     - Bugfixes:
diff --git a/perllib/FixMyStreet/App/Controller/Report/New.pm b/perllib/FixMyStreet/App/Controller/Report/New.pm
index b5e5c573812..6cbf2291fe0 100644
--- a/perllib/FixMyStreet/App/Controller/Report/New.pm
+++ b/perllib/FixMyStreet/App/Controller/Report/New.pm
@@ -805,6 +805,8 @@ sub process_user : Private {
 
     $c->stash->{phone_may_be_mobile} = $type eq 'phone' && $parsed->{may_be_mobile};
 
+    $c->forward('update_user', [ \%params ]);
+
     # The user is trying to sign in. We only care about username from the params.
     if ( $c->get_param('submit_sign_in') || $c->get_param('password_sign_in') ) {
         $c->stash->{tfa_data} = {
@@ -825,7 +827,6 @@ sub process_user : Private {
         return 1;
     }
 
-    $c->forward('update_user', [ \%params ]);
     if ($params{password_register}) {
         $c->forward('/auth/test_password', [ $params{password_register} ]);
         $report->user->password($params{password_register});