diff --git a/apps/twofactor_backupcodes/lib/Db/BackupCodeMapper.php b/apps/twofactor_backupcodes/lib/Db/BackupCodeMapper.php
index 39cc37af686a9..2e7922999a7de 100644
--- a/apps/twofactor_backupcodes/lib/Db/BackupCodeMapper.php
+++ b/apps/twofactor_backupcodes/lib/Db/BackupCodeMapper.php
@@ -54,4 +54,17 @@ public function deleteCodesByUserId(string $uid): void {
 			->where($qb->expr()->eq('user_id', $qb->createNamedParameter($uid)));
 		$qb->executeStatement();
 	}
+
+	/**
+	 * Marks the backup code as used, if not already marked as used in DB.
+	 * @return int number of affected rows
+	 */
+	public function markUsedIfUnused(BackupCode $code): int {
+		$qb = $this->db->getQueryBuilder();
+		$qb->update($this->getTableName())
+			->set('used', $qb->createNamedParameter(1, IQueryBuilder::PARAM_INT))
+			->where($qb->expr()->eq('id', $qb->createNamedParameter($code->getId(), IQueryBuilder::PARAM_INT)))
+			->andWhere($qb->expr()->eq('used', $qb->createNamedParameter(0, IQueryBuilder::PARAM_INT)));
+		return $qb->executeStatement();
+	}
 }
diff --git a/apps/twofactor_backupcodes/lib/Service/BackupCodeStorage.php b/apps/twofactor_backupcodes/lib/Service/BackupCodeStorage.php
index 24621ba2ee202..e4b2af82ed76f 100644
--- a/apps/twofactor_backupcodes/lib/Service/BackupCodeStorage.php
+++ b/apps/twofactor_backupcodes/lib/Service/BackupCodeStorage.php
@@ -85,19 +85,12 @@ public function getBackupCodesState(IUser $user): array {
 		];
 	}
 
-	/**
-	 * @param IUser $user
-	 * @param string $code
-	 * @return bool
-	 */
 	public function validateCode(IUser $user, string $code): bool {
 		$dbCodes = $this->mapper->getBackupCodes($user);
 
 		foreach ($dbCodes as $dbCode) {
 			if ((int)$dbCode->getUsed() === 0 && $this->hasher->verify($code, $dbCode->getCode())) {
-				$dbCode->setUsed(1);
-				$this->mapper->update($dbCode);
-				return true;
+				return ($this->mapper->markUsedIfUnused($dbCode) === 1);
 			}
 		}
 		return false;
diff --git a/apps/twofactor_backupcodes/tests/Unit/Service/BackupCodeStorageTest.php b/apps/twofactor_backupcodes/tests/Unit/Service/BackupCodeStorageTest.php
index ef7e6674afaa3..e3d9547cfbe64 100644
--- a/apps/twofactor_backupcodes/tests/Unit/Service/BackupCodeStorageTest.php
+++ b/apps/twofactor_backupcodes/tests/Unit/Service/BackupCodeStorageTest.php
@@ -157,12 +157,11 @@ public function testValidateCode(): void {
 			->with('CHALLENGE', 'HASHEDVALUE', $this->anything())
 			->willReturn(true);
 		$this->mapper->expects($this->once())
-			->method('update')
-			->with($code);
+			->method('markUsedIfUnused')
+			->with($code)
+			->willReturn(1);
 
 		$this->assertTrue($this->storage->validateCode($user, 'CHALLENGE'));
-
-		$this->assertEquals(1, $code->getUsed());
 	}
 
 	public function testValidateUsedCode(): void {