diff --git a/UT4MasterServer.Common/Enums/AccountFlags.cs b/UT4MasterServer.Common/Enums/AccountFlags.cs
index e756d570..d80f6ee7 100644
--- a/UT4MasterServer.Common/Enums/AccountFlags.cs
+++ b/UT4MasterServer.Common/Enums/AccountFlags.cs
@@ -72,5 +72,10 @@ public enum AccountFlags
 	/// </summary>
 	ACL_Maintenance = 0x1000,
 
+	/// <summary>
+	/// Flag to determine if email was verified
+	/// </summary>
+	EmailVerified = 0x2000,
+
 	/// NOTE: if you add more flags, make sure to update <see cref="AccountFlagsHelper"/> checks.
 }
diff --git a/UT4MasterServer.Common/Exceptions/AwsSesClientException.cs b/UT4MasterServer.Common/Exceptions/AwsSesClientException.cs
new file mode 100644
index 00000000..322d0147
--- /dev/null
+++ b/UT4MasterServer.Common/Exceptions/AwsSesClientException.cs
@@ -0,0 +1,13 @@
+namespace UT4MasterServer.Common.Exceptions;
+
+[Serializable]
+public sealed class AwsSesClientException : Exception
+{
+	public AwsSesClientException(string message) : base(message)
+	{
+	}
+
+	public AwsSesClientException(string message, Exception innerException) : base(message, innerException)
+	{
+	}
+}
diff --git a/UT4MasterServer.Common/Exceptions/EmailVerificationException.cs b/UT4MasterServer.Common/Exceptions/EmailVerificationException.cs
new file mode 100644
index 00000000..65bd3ccb
--- /dev/null
+++ b/UT4MasterServer.Common/Exceptions/EmailVerificationException.cs
@@ -0,0 +1,14 @@
+namespace UT4MasterServer.Common.Exceptions;
+
+[Serializable]
+public sealed class EmailVerificationException : Exception
+{
+	public EmailVerificationException(string message) : base(message)
+	{
+	}
+
+	public EmailVerificationException(string message, Exception innerException) : base(message, innerException)
+	{
+	}
+}
+
diff --git a/UT4MasterServer.Common/Exceptions/NotFoundException.cs b/UT4MasterServer.Common/Exceptions/NotFoundException.cs
new file mode 100644
index 00000000..329eccb1
--- /dev/null
+++ b/UT4MasterServer.Common/Exceptions/NotFoundException.cs
@@ -0,0 +1,13 @@
+namespace UT4MasterServer.Common.Exceptions;
+
+[Serializable]
+public sealed class NotFoundException : Exception
+{
+	public NotFoundException(string message) : base(message)
+	{
+	}
+
+	public NotFoundException(string message, Exception innerException) : base(message, innerException)
+	{
+	}
+}
diff --git a/UT4MasterServer.Common/Exceptions/RateLimitExceededException.cs b/UT4MasterServer.Common/Exceptions/RateLimitExceededException.cs
new file mode 100644
index 00000000..0f325365
--- /dev/null
+++ b/UT4MasterServer.Common/Exceptions/RateLimitExceededException.cs
@@ -0,0 +1,13 @@
+namespace UT4MasterServer.Common.Exceptions;
+
+[Serializable]
+public sealed class RateLimitExceededException : Exception
+{
+	public RateLimitExceededException(string message) : base(message)
+	{
+	}
+
+	public RateLimitExceededException(string message, Exception innerException) : base(message, innerException)
+	{
+	}
+}
diff --git a/UT4MasterServer.Common/Helpers/AccountFlagsHelper.cs b/UT4MasterServer.Common/Helpers/AccountFlagsHelper.cs
index d1d06507..f4d3079b 100644
--- a/UT4MasterServer.Common/Helpers/AccountFlagsHelper.cs
+++ b/UT4MasterServer.Common/Helpers/AccountFlagsHelper.cs
@@ -16,6 +16,7 @@ public static bool IsACLFlag(AccountFlags flag)
 			AccountFlags.ACL_CloudStorageAnnouncements |
 			AccountFlags.ACL_CloudStorageRulesets |
 			AccountFlags.ACL_CloudStorageChallenges |
-			AccountFlags.ACL_Maintenance);
+			AccountFlags.ACL_Maintenance |
+			AccountFlags.EmailVerified);
 	}
 }
diff --git a/UT4MasterServer.Common/Helpers/ValidationHelper.cs b/UT4MasterServer.Common/Helpers/ValidationHelper.cs
index c6b19b9a..6f716840 100644
--- a/UT4MasterServer.Common/Helpers/ValidationHelper.cs
+++ b/UT4MasterServer.Common/Helpers/ValidationHelper.cs
@@ -6,6 +6,7 @@ public static class ValidationHelper
 {
 	private static readonly Regex regexEmail;
 	private static readonly List<string> disallowedUsernameWords;
+	private static readonly List<string> disallowedEmailDomains;
 
 	static ValidationHelper()
 	{
@@ -17,6 +18,99 @@ static ValidationHelper()
 			"shit", "fuck", "bitch", "slut", "sex", "cum",
 			"nigger", "hitler", "nazi"
 		};
+		disallowedEmailDomains = new List<string>
+		{
+			"yopmail.com",
+			"maildrop.cc",
+			"dispostable.com",
+			"guerrillamail.com",
+			"mailinator.com",
+			"tempr.email",
+			"discard.email",
+			"discardmail.com",
+			"discardmail.de",
+			"spambog.com",
+			"spambog.de",
+			"spambog.ru",
+			"0815.ru",
+			"knol-power.nl",
+			"freundin.ru",
+			"smashmail.de",
+			"s0ny.net",
+			"1mail.x24hr.com",
+			"from.onmypc.info",
+			"now.mefound.com",
+			"mowgli.jungleheart.com",
+			"cr.cloudns.asia",
+			"tls.cloudns.asia",
+			"msft.cloudns.asia",
+			"b.cr.cloudns.asia",
+			"ssl.tls.cloudns.asia",
+			"sweetxxx.de",
+			"dvd.dns-cloud.net",
+			"dvd.dnsabr.com",
+			"bd.dns-cloud.net",
+			"yx.dns-cloud.net",
+			"shit.dns-cloud.net",
+			"shit.dnsabr.com",
+			"eu.dns-cloud.net",
+			"eu.dnsabr.com",
+			"asia.dnsabr.com",
+			"8.dnsabr.com",
+			"pw.8.dnsabr.com",
+			"mm.8.dnsabr.com",
+			"23.8.dnsabr.com",
+			"pw.epac.to",
+			"postheo.de",
+			"sexy.camdvr.org",
+			"888.dns-cloud.net",
+			"adult-work.info",
+			"trap-mail.de",
+			"m.cloudns.cl",
+			"t.woeishyang.com",
+			"pflege-schoene-haut.de",
+			"streamboost.xyz",
+			"okmail.p-e.kr",
+			"hotbird.giize.com",
+			"as10.dnsfree.com",
+			"mehr-bitcoin.de",
+			"a1b2.cloudns.ph",
+			"wacamole.soynashi.tk",
+			"temp69.email",
+			"secure.okay.email.safeds.tk",
+			"tajba.com",
+			"web.run.place",
+			"tempr-mail.line.pm",
+			"spam.ceo",
+			"healthydevelopimmune.com",
+			"infobisnisdigital.com",
+			"winayabeauty.com",
+			"nxyl.eu",
+			"edukansassu12a.cf",
+			"mail.checkermaker.me",
+			"mailcatch.com",
+			"emailondeck.com",
+			"mailnesia.com",
+			"superrito.com",
+			"armyspy.com",
+			"cuvox.de",
+			"dayrep.com",
+			"einrot.com",
+			"fleckens.hu",
+			"gustr.com",
+			"jourrapide.com",
+			"rhyta.com",
+			"superrito.com",
+			"teleworm.us",
+			"mintemail.com",
+			"bbitq.com",
+			"iucake.com",
+			"gufum.com",
+			"boxmail.lol",
+			"nfstripss.com",
+			"dropjar.com",
+			"33mail.com",
+		};
 	}
 
 	public static bool ValidateEmail(string email)
@@ -26,7 +120,14 @@ public static bool ValidateEmail(string email)
 			return false;
 		}
 
-		return regexEmail.IsMatch(email);
+		if (!regexEmail.IsMatch(email))
+			return false;
+
+		var emailDomain = email.ToLower().Split('@')[1];
+		if (disallowedEmailDomains.Contains(emailDomain))
+			return false;
+
+		return true;
 	}
 
 	public static bool ValidateUsername(string username)
diff --git a/UT4MasterServer.Models/DTO/Request/SendEmailRequest.cs b/UT4MasterServer.Models/DTO/Request/SendEmailRequest.cs
new file mode 100644
index 00000000..a6542e31
--- /dev/null
+++ b/UT4MasterServer.Models/DTO/Request/SendEmailRequest.cs
@@ -0,0 +1,9 @@
+namespace UT4MasterServer.Models.DTO.Request;
+
+public sealed class SendEmailRequest
+{
+	public string From { get; set; } = string.Empty;
+	public List<string> To { get; set; } = new();
+	public string Subject { get; set; } = string.Empty;
+	public string Body { get; set; } = string.Empty;
+}
diff --git a/UT4MasterServer.Models/Database/Account.cs b/UT4MasterServer.Models/Database/Account.cs
index 09b6d13b..d9da3ced 100644
--- a/UT4MasterServer.Models/Database/Account.cs
+++ b/UT4MasterServer.Models/Database/Account.cs
@@ -69,6 +69,18 @@ public class Account
 	[BsonElement("Flags")]
 	public AccountFlags Flags { get; set; } = 0;
 
+	[BsonIgnoreIfNull]
+	public string? VerificationLinkGUID { get; set; }
+
+	[BsonIgnoreIfNull]
+	public DateTime? VerificationLinkExpiration { get; set; }
+
+	[BsonIgnoreIfNull]
+	public string? ResetLinkGUID { get; set; }
+
+	[BsonIgnoreIfNull]
+	public DateTime? ResetLinkExpiration { get; set; }
+
 	[BsonIgnore]
 	public float Level
 	{
diff --git a/UT4MasterServer.Models/Settings/AWSSettings.cs b/UT4MasterServer.Models/Settings/AWSSettings.cs
new file mode 100644
index 00000000..7835cbd7
--- /dev/null
+++ b/UT4MasterServer.Models/Settings/AWSSettings.cs
@@ -0,0 +1,8 @@
+namespace UT4MasterServer.Models.Settings;
+
+public sealed class AWSSettings
+{
+	public string AccessKey { get; set; } = string.Empty;
+	public string SecretKey { get; set; } = string.Empty;
+	public string RegionName { get; set; } = string.Empty;
+}
diff --git a/UT4MasterServer.Models/Settings/ApplicationSettings.cs b/UT4MasterServer.Models/Settings/ApplicationSettings.cs
index d28b7143..467727d4 100644
--- a/UT4MasterServer.Models/Settings/ApplicationSettings.cs
+++ b/UT4MasterServer.Models/Settings/ApplicationSettings.cs
@@ -1,4 +1,4 @@
-namespace UT4MasterServer.Models.Settings;
+namespace UT4MasterServer.Models.Settings;
 
 public sealed class ApplicationSettings
 {
@@ -11,10 +11,22 @@ public sealed class ApplicationSettings
 	public bool AllowPasswordGrantType { get; set; } = false;
 
 	/// <summary>
-	/// Used just to redirect users to correct domain when UT4UU is being used.
+	/// Used for URL generation when sending activation link, reset links, etc.
+	/// </summary>
+	public string WebsiteScheme { get; set; } = string.Empty;
+
+	/// <summary>
+	/// Used for
+	/// - email verification links
+	/// - reset password links
 	/// </summary>
 	public string WebsiteDomain { get; set; } = string.Empty;
 
+	/// <summary>
+	/// Used for URL generation when sending activation link, reset links, etc.
+	/// </summary>
+	public int WebsitePort { get; set; } = -1;
+
 	/// <summary>
 	/// File containing a list of trusted proxy servers (one per line).
 	/// This file is loaded only once when program starts and it add values to <see cref="ProxyServers"/>.
@@ -30,4 +42,10 @@ public sealed class ApplicationSettings
 	/// IP addresses of trusted proxy servers.
 	/// </summary>
 	public List<string> ProxyServers { get; set; } = new List<string>();
+
+	/// <summary>
+	/// No-reply email that will be used for activation links, reset password links, etc
+	/// </summary>
+	/// <example>no-reply@example.com</example>
+	public string NoReplyEmail { get; set; } = string.Empty;
 }
diff --git a/UT4MasterServer.Services/Hosted/ApplicationBackgroundService.cs b/UT4MasterServer.Services/Hosted/ApplicationBackgroundService.cs
index 5018c65a..f239242b 100644
--- a/UT4MasterServer.Services/Hosted/ApplicationBackgroundService.cs
+++ b/UT4MasterServer.Services/Hosted/ApplicationBackgroundService.cs
@@ -72,6 +72,9 @@ private void DoWork(object? state)
 				logger.LogInformation("Background task deleted {DeleteCount} stale game servers.", deleteCount);
 			}
 
+			var cleanupService = scope.ServiceProvider.GetRequiredService<CleanupService>();
+			await cleanupService.RemoveNonVerifiedAccountsAsync();
+
 			await DeleteOldStatisticsAsync(scope);
 			await MergeOldStatisticsAsync(scope);
 		});
diff --git a/UT4MasterServer.Services/Hosted/ApplicationStartupService.cs b/UT4MasterServer.Services/Hosted/ApplicationStartupService.cs
index b9f021dc..22704a65 100644
--- a/UT4MasterServer.Services/Hosted/ApplicationStartupService.cs
+++ b/UT4MasterServer.Services/Hosted/ApplicationStartupService.cs
@@ -1,7 +1,6 @@
+using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Hosting;
 using Microsoft.Extensions.Logging;
-using Microsoft.Extensions.Options;
-using UT4MasterServer.Models.Settings;
 using UT4MasterServer.Services.Scoped;
 
 namespace UT4MasterServer.Services.Hosted;
@@ -9,30 +8,24 @@ namespace UT4MasterServer.Services.Hosted;
 public sealed class ApplicationStartupService : IHostedService
 {
 	private readonly ILogger<ApplicationStartupService> logger;
-	private readonly AccountService accountService;
-	private readonly StatisticsService statisticsService;
-	private readonly CloudStorageService cloudStorageService;
-	private readonly ClientService clientService;
-	private readonly RatingsService ratingsService;
-
-	public ApplicationStartupService(
-		ILogger<ApplicationStartupService> logger,
-		ILogger<StatisticsService> statsLogger,
-		IOptions<ApplicationSettings> settings,
-		ILogger<CloudStorageService> cloudStorageLogger,
-		ILogger<RatingsService> ratingsLogger)
+	private readonly IServiceProvider serviceProvider;
+
+	public ApplicationStartupService(ILogger<ApplicationStartupService> logger, IServiceProvider serviceProvider)
 	{
 		this.logger = logger;
-		var db = new DatabaseContext(settings);
-		accountService = new AccountService(db, settings);
-		statisticsService = new StatisticsService(statsLogger, db);
-		cloudStorageService = new CloudStorageService(db, cloudStorageLogger);
-		clientService = new ClientService(db);
-		ratingsService = new RatingsService(ratingsLogger, db);
+		this.serviceProvider = serviceProvider;
 	}
 
 	public async Task StartAsync(CancellationToken cancellationToken)
 	{
+		using var scope = serviceProvider.CreateScope();
+
+		var accountService = scope.ServiceProvider.GetRequiredService<AccountService>();
+		var statisticsService = scope.ServiceProvider.GetRequiredService<StatisticsService>();
+		var ratingsService = scope.ServiceProvider.GetRequiredService<RatingsService>();
+		var cloudStorageService = scope.ServiceProvider.GetRequiredService<CloudStorageService>();
+		var clientService = scope.ServiceProvider.GetRequiredService<ClientService>();
+
 		logger.LogInformation("Configuring MongoDB indexes.");
 		await accountService.CreateIndexesAsync();
 		await statisticsService.CreateIndexesAsync();
diff --git a/UT4MasterServer.Services/Interfaces/IEmailService.cs b/UT4MasterServer.Services/Interfaces/IEmailService.cs
new file mode 100644
index 00000000..46357f5a
--- /dev/null
+++ b/UT4MasterServer.Services/Interfaces/IEmailService.cs
@@ -0,0 +1,7 @@
+namespace UT4MasterServer.Services.Interfaces;
+
+public interface IEmailService
+{
+	Task SendTextEmailAsync(string fromAddress, List<string> toAddresses, string subject, string body);
+	Task SendHTMLEmailAsync(string fromAddress, List<string> toAddresses, string subject, string body);
+}
diff --git a/UT4MasterServer.Services/Scoped/AccountService.cs b/UT4MasterServer.Services/Scoped/AccountService.cs
index 4734f575..9cf13c42 100644
--- a/UT4MasterServer.Services/Scoped/AccountService.cs
+++ b/UT4MasterServer.Services/Scoped/AccountService.cs
@@ -1,21 +1,34 @@
-using Microsoft.Extensions.Options;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
 using MongoDB.Driver;
 using UT4MasterServer.Common;
 using UT4MasterServer.Common.Enums;
+using UT4MasterServer.Common.Exceptions;
 using UT4MasterServer.Common.Helpers;
 using UT4MasterServer.Models.Database;
 using UT4MasterServer.Models.DTO.Responses;
 using UT4MasterServer.Models.Settings;
+using UT4MasterServer.Services.Interfaces;
 
 namespace UT4MasterServer.Services.Scoped;
 
 public sealed class AccountService
 {
 	private readonly IMongoCollection<Account> accountCollection;
+	private readonly ApplicationSettings applicationSettings;
+	private readonly IEmailService emailService;
+	private readonly ILogger<AccountService> _logger;
 
-	public AccountService(DatabaseContext dbContext, IOptions<ApplicationSettings> settings)
+	public AccountService(
+		DatabaseContext dbContext,
+		IOptions<ApplicationSettings> applicationSettings,
+		IEmailService emailService,
+		ILogger<AccountService> logger)
 	{
+		this.applicationSettings = applicationSettings.Value;
 		accountCollection = dbContext.Database.GetCollection<Account>("accounts");
+		this.emailService = emailService;
+		_logger = logger;
 	}
 
 	public async Task CreateIndexesAsync()
@@ -35,11 +48,15 @@ public async Task CreateAccountAsync(string username, string email, string passw
 		{
 			ID = EpicID.GenerateNew(),
 			Username = username,
-			Email = email
+			Email = email,
+			VerificationLinkGUID = Guid.NewGuid().ToString(),
+			VerificationLinkExpiration = DateTime.UtcNow.AddMinutes(5),
 		};
 		newAccount.Password = PasswordHelper.GetPasswordHash(newAccount.ID, password);
 
 		await accountCollection.InsertOneAsync(newAccount);
+
+		await SendVerificationLinkAsync(email, newAccount.ID, newAccount.VerificationLinkGUID);
 	}
 
 	public async Task<Account?> GetAccountByEmailAsync(string email)
@@ -174,5 +191,153 @@ public async Task RemoveAccountAsync(EpicID id)
 	{
 		await accountCollection.DeleteOneAsync(user => user.ID == id);
 	}
-}
 
+	public async Task<List<EpicID>> GetNonVerifiedAccountsAsync()
+	{
+		var filter = (Builders<Account>.Filter.BitsAnyClear(f => f.Flags, (long)AccountFlags.EmailVerified) |
+					  Builders<Account>.Filter.Exists(f => f.Flags, false)) &
+					  Builders<Account>.Filter.Lt(f => f.LastLoginAt, DateTime.UtcNow.AddMonths(-3));
+		var accountsIDs = await accountCollection.Find(filter).Project(p => p.ID).ToListAsync();
+		return accountsIDs;
+	}
+
+	public async Task VerifyEmailAsync(EpicID accountID, string guid)
+	{
+		var filter = Builders<Account>.Filter.Eq(f => f.ID, accountID) &
+					 Builders<Account>.Filter.Eq(f => f.VerificationLinkGUID, guid) &
+					 Builders<Account>.Filter.Gt(f => f.VerificationLinkExpiration, DateTime.UtcNow) &
+					(Builders<Account>.Filter.BitsAnyClear(f => f.Flags, (long)AccountFlags.EmailVerified) |
+					 Builders<Account>.Filter.Exists(f => f.Flags, false));
+		var account = await accountCollection.Find(filter).FirstOrDefaultAsync();
+
+		if (account is null)
+		{
+			throw new EmailVerificationException("Email verification failed: requested account not found, verification link not found or expired.");
+		}
+
+		var updateDefinition = Builders<Account>.Update
+			.BitwiseOr(s => s.Flags, AccountFlags.EmailVerified)
+			.Unset(u => u.VerificationLinkGUID)
+			.Unset(u => u.VerificationLinkExpiration);
+		await accountCollection.UpdateOneAsync(filter, updateDefinition);
+	}
+
+	public async Task ResendVerificationLinkAsync(string email)
+	{
+		var filter = Builders<Account>.Filter.Eq(f => f.Email, email) &
+					(Builders<Account>.Filter.BitsAnyClear(f => f.Flags, (long)AccountFlags.EmailVerified) |
+					 Builders<Account>.Filter.Exists(f => f.Flags, false));
+		var account = await accountCollection.Find(filter).FirstOrDefaultAsync();
+
+		if (account is null)
+		{
+			throw new NotFoundException("Email not found or already verified.");
+		}
+
+		var activationGUID = Guid.NewGuid().ToString();
+
+		var updateDefinition = Builders<Account>.Update
+			.Set(s => s.VerificationLinkGUID, activationGUID)
+			.Set(s => s.VerificationLinkExpiration, DateTime.UtcNow.AddMinutes(5));
+		await accountCollection.UpdateOneAsync(filter, updateDefinition);
+
+		await SendVerificationLinkAsync(email, account.ID, activationGUID);
+	}
+
+	public async Task InitiateResetPasswordAsync(string email)
+	{
+		var filter = Builders<Account>.Filter.Eq(f => f.Email, email) &
+					 Builders<Account>.Filter.BitsAnySet(f => f.Flags, (long)AccountFlags.EmailVerified);
+		var account = await accountCollection.Find(filter).FirstOrDefaultAsync();
+
+		if (account is null)
+		{
+			throw new NotFoundException("Email not found or not verified.");
+		}
+
+		var guid = Guid.NewGuid().ToString();
+
+		var updateDefinition = Builders<Account>.Update
+			.Set(s => s.ResetLinkGUID, guid)
+			.Set(u => u.ResetLinkExpiration, DateTime.UtcNow.AddMinutes(5));
+		await accountCollection.UpdateOneAsync(filter, updateDefinition);
+
+		await SendResetPasswordLinkAsync(email, account.ID, guid);
+	}
+
+	public async Task ResetPasswordAsync(EpicID accountID, string guid, string newPassword)
+	{
+		var filter = Builders<Account>.Filter.Eq(x => x.ID, accountID) &
+					 Builders<Account>.Filter.Eq(x => x.ResetLinkGUID, guid) &
+					 Builders<Account>.Filter.Gt(x => x.ResetLinkExpiration, DateTime.UtcNow);
+		var account = await accountCollection.Find(filter).FirstOrDefaultAsync();
+
+		if (account is null)
+		{
+			throw new NotFoundException("Requested account not found or reset link expired.");
+		}
+
+		newPassword = PasswordHelper.GetPasswordHash(accountID, newPassword);
+
+		var filterForUpdate = Builders<Account>.Filter.Eq(x => x.ID, accountID);
+		var update = Builders<Account>.Update
+			.Set(x => x.Password, newPassword)
+			.Unset(x => x.ResetLinkGUID)
+			.Unset(x => x.ResetLinkExpiration);
+		await accountCollection.UpdateOneAsync(filterForUpdate, update);
+	}
+
+	private async Task SendVerificationLinkAsync(string email, EpicID accountID, string guid)
+	{
+		UriBuilder uriBuilder = new()
+		{
+			Scheme = applicationSettings.WebsiteScheme,
+			Host = applicationSettings.WebsiteDomain,
+			Port = applicationSettings.WebsitePort,
+			Path = "VerifyEmail",
+			Query = $"accountId={accountID}&guid={guid}"
+		};
+
+		var html = @$"
+			<p>Welcome to UT4 Master Server!</p>
+			<p>Click <a href='{uriBuilder.Uri}' target='_blank'>here</a> to verify your email.</p>
+		";
+
+		if (!ValidationHelper.ValidateEmail(applicationSettings.NoReplyEmail))
+		{
+			_logger.LogWarning("Invalid or missing no-reply email: {Value}.", applicationSettings.NoReplyEmail);
+			return;
+		}
+
+		_logger.LogDebug("Sending email verification link: {Uri}", uriBuilder.Uri);
+
+		await emailService.SendHTMLEmailAsync(applicationSettings.NoReplyEmail, new List<string>() { email }, "Email Verification", html);
+	}
+
+	private async Task SendResetPasswordLinkAsync(string email, EpicID accountID, string guid)
+	{
+		UriBuilder uriBuilder = new()
+		{
+			Scheme = applicationSettings.WebsiteScheme,
+			Host = applicationSettings.WebsiteDomain,
+			Port = applicationSettings.WebsitePort,
+			Path = "ResetPassword",
+			Query = $"accountId={accountID}&guid={guid}"
+		};
+
+		var html = @$"
+			<p>Click <a href='{uriBuilder.Uri}' target='_blank'>here</a> to reset your password for UT4 Master Server account.</p>
+			<p>If you didn't initiate password reset, ignore this message.</p>
+		";
+
+		if (!ValidationHelper.ValidateEmail(applicationSettings.NoReplyEmail))
+		{
+			_logger.LogWarning("Invalid or missing no-reply email: {Value}.", applicationSettings.NoReplyEmail);
+			return;
+		}
+
+		_logger.LogDebug("Sending reset password link: {Uri}", uriBuilder.Uri);
+
+		await emailService.SendHTMLEmailAsync(applicationSettings.NoReplyEmail, new List<string>() { email }, "Reset Password", html);
+	}
+}
diff --git a/UT4MasterServer.Services/Scoped/AwsSesClient.cs b/UT4MasterServer.Services/Scoped/AwsSesClient.cs
new file mode 100644
index 00000000..b8d1fa8b
--- /dev/null
+++ b/UT4MasterServer.Services/Scoped/AwsSesClient.cs
@@ -0,0 +1,102 @@
+using Amazon.SimpleEmail;
+using Amazon.SimpleEmail.Model;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+using System.Text.Json;
+using UT4MasterServer.Common.Exceptions;
+using UT4MasterServer.Models.Settings;
+using UT4MasterServer.Services.Interfaces;
+
+namespace UT4MasterServer.Services.Scoped;
+
+public sealed class AwsSesClient : IEmailService
+{
+	private readonly ILogger<AwsSesClient> _logger;
+	private readonly IAmazonSimpleEmailService _amazonSimpleEmailService;
+
+	public AwsSesClient(ILogger<AwsSesClient> logger, IOptions<AWSSettings> awsSettings)
+	{
+		_logger = logger;
+		_amazonSimpleEmailService = new AmazonSimpleEmailServiceClient(
+			awsSettings.Value.AccessKey,
+			awsSettings.Value.SecretKey,
+			Amazon.RegionEndpoint.GetBySystemName(awsSettings.Value.RegionName));
+	}
+
+	public async Task SendTextEmailAsync(string fromAddress, List<string> toAddresses, string subject, string body)
+	{
+		var request = new SendEmailRequest()
+		{
+			Source = fromAddress,
+			Destination = new Destination(toAddresses),
+			Message = new Message()
+			{
+				Subject = new Content(subject),
+				Body = new Body()
+				{
+					Text = new Content()
+					{
+						Charset = "UTF-8",
+						Data = body,
+					}
+				},
+			}
+		};
+
+		await SendEmailAsync(request);
+	}
+
+	public async Task SendHTMLEmailAsync(string fromAddress, List<string> toAddresses, string subject, string body)
+	{
+		var request = new SendEmailRequest()
+		{
+			Source = fromAddress,
+			Destination = new Destination(toAddresses),
+			Message = new Message()
+			{
+				Subject = new Content(subject),
+				Body = new Body()
+				{
+					Html = new Content()
+					{
+						Charset = "UTF-8",
+						Data = body,
+					}
+				},
+			}
+		};
+
+		await SendEmailAsync(request);
+	}
+
+	private async Task SendEmailAsync(SendEmailRequest request)
+	{
+		try
+		{
+			_logger.LogInformation("Sending email.");
+			var response = await _amazonSimpleEmailService.SendEmailAsync(request);
+
+			if (response is null)
+			{
+				throw new AwsSesClientException("Error occurred while sending email. Response not received.");
+			}
+
+			_logger.LogInformation("Email sent successfully: {Response}.", JsonSerializer.Serialize(response));
+		}
+		catch (MessageRejectedException ex)
+		{
+			_logger.LogError(ex, "Error occurred while sending email: {Request}.", JsonSerializer.Serialize(request));
+			throw;
+		}
+		catch (MailFromDomainNotVerifiedException ex)
+		{
+			_logger.LogError(ex, "Error occurred while sending email: {Request}.", JsonSerializer.Serialize(request));
+			throw;
+		}
+		catch (Exception ex)
+		{
+			_logger.LogError(ex, "Error occurred while sending email: {Request}.", JsonSerializer.Serialize(request));
+			throw;
+		}
+	}
+}
diff --git a/UT4MasterServer.Services/Scoped/CleanupService.cs b/UT4MasterServer.Services/Scoped/CleanupService.cs
new file mode 100644
index 00000000..714ce85a
--- /dev/null
+++ b/UT4MasterServer.Services/Scoped/CleanupService.cs
@@ -0,0 +1,70 @@
+using Microsoft.Extensions.Logging;
+using UT4MasterServer.Common;
+using UT4MasterServer.Services.Singleton;
+
+namespace UT4MasterServer.Services.Scoped;
+
+public sealed class CleanupService
+{
+	private readonly ILogger<CleanupService> logger;
+	private readonly AccountService accountService;
+	private readonly SessionService sessionService;
+	private readonly CodeService codeService;
+	private readonly FriendService friendService;
+	private readonly CloudStorageService cloudStorageService;
+	private readonly StatisticsService statisticsService;
+	private readonly TrustedGameServerService trustedGameServerService;
+	private readonly RatingsService ratingsService;
+
+	public CleanupService(
+		ILogger<CleanupService> logger,
+		AccountService accountService,
+		SessionService sessionService,
+		CodeService codeService,
+		FriendService friendService,
+		CloudStorageService cloudStorageService,
+		StatisticsService statisticsService,
+		TrustedGameServerService trustedGameServerService,
+		RatingsService ratingsService
+)
+	{
+		this.logger = logger;
+		this.accountService = accountService;
+		this.sessionService = sessionService;
+		this.codeService = codeService;
+		this.friendService = friendService;
+		this.cloudStorageService = cloudStorageService;
+		this.statisticsService = statisticsService;
+		this.trustedGameServerService = trustedGameServerService;
+		this.ratingsService = ratingsService;
+	}
+
+	public async Task RemoveNonVerifiedAccountsAsync()
+	{
+		var nonVerifiedAccountIds = await accountService.GetNonVerifiedAccountsAsync();
+		await RemoveAccountAndAssociatedDataAsync(nonVerifiedAccountIds);
+	}
+
+	public async Task RemoveAccountAndAssociatedDataAsync(List<EpicID> accountIDs)
+	{
+		foreach (var accountID in accountIDs)
+		{
+			await RemoveAccountAndAssociatedDataAsync(accountID);
+		}
+	}
+
+	public async Task RemoveAccountAndAssociatedDataAsync(EpicID accountID)
+	{
+		logger.LogInformation("Deleting account: {AccountID}.", accountID);
+
+		await accountService.RemoveAccountAsync(accountID);
+		await sessionService.RemoveSessionsWithFilterAsync(EpicID.Empty, accountID, EpicID.Empty);
+		await codeService.RemoveAllByAccountAsync(accountID);
+		await cloudStorageService.RemoveAllByAccountAsync(accountID);
+		await statisticsService.RemoveAllByAccountAsync(accountID);
+		await ratingsService.RemoveAllByAccountAsync(accountID);
+		await friendService.RemoveAllByAccountAsync(accountID);
+		await trustedGameServerService.RemoveAllByAccountAsync(accountID);
+		// NOTE: missing removal of account from live servers. this should take care of itself in a relatively short time.
+	}
+}
diff --git a/UT4MasterServer.Services/Singleton/RateLimitService.cs b/UT4MasterServer.Services/Singleton/RateLimitService.cs
new file mode 100644
index 00000000..da7eae57
--- /dev/null
+++ b/UT4MasterServer.Services/Singleton/RateLimitService.cs
@@ -0,0 +1,25 @@
+using Microsoft.Extensions.Caching.Memory;
+using UT4MasterServer.Common.Exceptions;
+
+namespace UT4MasterServer.Services.Singleton;
+
+public sealed class RateLimitService
+{
+	private readonly IMemoryCache memoryCache;
+
+	public RateLimitService(IMemoryCache memoryCache)
+	{
+		this.memoryCache = memoryCache;
+	}
+
+	public void CheckRateLimit(string key, int expirationInSeconds = 60)
+	{
+		if (memoryCache.TryGetValue<DateTime>(key, out var value))
+		{
+			throw new RateLimitExceededException($"Rate limit exceeded. Wait {value.Subtract(DateTime.UtcNow).Seconds} second(s) and try again.");
+		}
+
+		var expiration = DateTime.UtcNow.AddSeconds(expirationInSeconds);
+		memoryCache.Set(key, expiration, TimeSpan.FromSeconds(expirationInSeconds));
+	}
+}
diff --git a/UT4MasterServer.Services/UT4MasterServer.Services.csproj b/UT4MasterServer.Services/UT4MasterServer.Services.csproj
index 33e9edf4..e1558d3d 100644
--- a/UT4MasterServer.Services/UT4MasterServer.Services.csproj
+++ b/UT4MasterServer.Services/UT4MasterServer.Services.csproj
@@ -7,6 +7,8 @@
   </PropertyGroup>
 
   <ItemGroup>
+    <PackageReference Include="AWSSDK.SimpleEmail" Version="3.7.100.72" />
+    <PackageReference Include="Microsoft.Extensions.Caching.Abstractions" Version="6.0.0" />
     <PackageReference Include="Microsoft.Extensions.Hosting.Abstractions" Version="6.0.0" />
     <PackageReference Include="Microsoft.Extensions.Options" Version="6.0.0" />
   </ItemGroup>
diff --git a/UT4MasterServer.Web/src/enums/role.ts b/UT4MasterServer.Web/src/enums/role.ts
index bd7c917b..644893f1 100644
--- a/UT4MasterServer.Web/src/enums/role.ts
+++ b/UT4MasterServer.Web/src/enums/role.ts
@@ -4,5 +4,6 @@ export enum Role {
   Moderator = 'Moderator',
   Developer = 'Developer',
   ContentCreator = 'ContentCreator',
-  HubOwner = 'HubOwner'
+  HubOwner = 'HubOwner',
+  EmailVerified = 'EmailVerified'
 }
diff --git a/UT4MasterServer.Web/src/pages/ForgotPassword.vue b/UT4MasterServer.Web/src/pages/ForgotPassword.vue
new file mode 100644
index 00000000..324ef857
--- /dev/null
+++ b/UT4MasterServer.Web/src/pages/ForgotPassword.vue
@@ -0,0 +1,77 @@
+<template>
+  <LoadingPanel :status="status" :error="errorMessage">
+    <form @submit.prevent="initiateResetPassword">
+      <fieldset>
+        <legend>Forgot Password</legend>
+        <div v-show="resetPasswordLinkSent" class="alert alert-success">
+          <div>Reset password link sent to email.</div>
+        </div>
+        <div class="form-group row">
+          <label for="email" class="col-sm-12 col-form-label">Email</label>
+          <div class="col-sm-6">
+            <input
+              id="username"
+              v-model="email"
+              type="text"
+              class="form-control"
+              name="email"
+              required
+              placeholder="Email"
+              autocomplete="email"
+              autofocus
+            />
+            <div class="invalid-feedback">Email is required</div>
+          </div>
+        </div>
+        <div class="form-group row">
+          <div class="col-sm-12">
+            <button
+              type="submit"
+              class="btn btn-primary"
+              :disabled="!formValid"
+              tabindex="2"
+            >
+              Send reset password link
+            </button>
+          </div>
+        </div>
+      </fieldset>
+    </form>
+  </LoadingPanel>
+</template>
+
+<script setup lang="ts">
+import { shallowRef, computed } from 'vue';
+import LoadingPanel from '@/components/LoadingPanel.vue';
+import { AsyncStatus } from '@/types/async-status';
+import { validateEmail } from '@/utils/validation';
+import AccountService from '@/services/account.service';
+
+const status = shallowRef(AsyncStatus.OK);
+const errorMessage = shallowRef(
+  'Error occurred while sending reset password link.'
+);
+const email = shallowRef('');
+const formValid = computed(() => email.value && validateEmail(email.value));
+const resetPasswordLinkSent = shallowRef(false);
+const accountService = new AccountService();
+
+async function initiateResetPassword() {
+  try {
+    status.value = AsyncStatus.BUSY;
+
+    const formData = {
+      email: email.value
+    };
+
+    await accountService.initiateResetPassword(formData);
+
+    status.value = AsyncStatus.OK;
+    resetPasswordLinkSent.value = true;
+  } catch (err: unknown) {
+    resetPasswordLinkSent.value = false;
+    status.value = AsyncStatus.ERROR;
+    errorMessage.value = (err as Error)?.message;
+  }
+}
+</script>
diff --git a/UT4MasterServer.Web/src/pages/Login.vue b/UT4MasterServer.Web/src/pages/Login.vue
index f5fea4a9..0f102ad7 100644
--- a/UT4MasterServer.Web/src/pages/Login.vue
+++ b/UT4MasterServer.Web/src/pages/Login.vue
@@ -1,8 +1,18 @@
 <template>
-  <LoadingPanel :status="status" :error="errorMessage">
+  <LoadingPanel
+    :status="status"
+    :error="errorMessage"
+    auto-load
+    @load="parseQueryValues"
+  >
     <form @submit.prevent="logIn">
       <fieldset>
         <legend>Log In</legend>
+        <div>
+          <div v-show="verificationLinkSent" class="alert alert-success">
+            <span>Verification link sent to email.</span>
+          </div>
+        </div>
         <div class="form-group row">
           <label for="username" class="col-sm-12 col-form-label"
             >Username</label
@@ -72,7 +82,8 @@
       </fieldset>
     </form>
   </LoadingPanel>
-  <RouterLink to="/Register">Create an account</RouterLink>
+  <RouterLink to="/Register">Create an account</RouterLink> |
+  <RouterLink to="/ForgotPassword">Forgot password</RouterLink>
 </template>
 
 <script setup lang="ts">
@@ -85,11 +96,13 @@ import { SessionStore } from '@/stores/session-store';
 import { useRoute, useRouter } from 'vue-router';
 import { GrantType } from '@/enums/grant-type';
 import { validatePassword } from '@/utils/validation';
+import { HttpError } from '@/services/http.service';
 
 const username = shallowRef(SessionStore.username ?? '');
 const password = shallowRef('');
 const saveUsername = shallowRef(SessionStore.saveUsername);
 const status = shallowRef(AsyncStatus.OK);
+const verificationLinkSent = shallowRef(false);
 const formValid = computed(
   () => username.value && validatePassword(password.value)
 );
@@ -100,6 +113,14 @@ const authenticationService = new AuthenticationService();
 const router = useRouter();
 const route = useRoute();
 
+function parseQueryValues() {
+  const { verificationLinkSent: qVerificationLinkSent } = route.query;
+
+  if (qVerificationLinkSent === 'true') {
+    verificationLinkSent.value = true;
+  }
+}
+
 async function logIn() {
   try {
     status.value = AsyncStatus.BUSY;
@@ -114,8 +135,10 @@ async function logIn() {
     const redirectTo = (route.query.redirect ?? 'Profile') as string;
     router.push(redirectTo);
   } catch (err: unknown) {
+    const error = err as HttpError;
+    verificationLinkSent.value = false;
     status.value = AsyncStatus.ERROR;
-    errorMessage.value = (err as Error)?.message;
+    errorMessage.value = error.message;
   }
 }
 </script>
diff --git a/UT4MasterServer.Web/src/pages/Profile/PlayerCard.vue b/UT4MasterServer.Web/src/pages/Profile/PlayerCard.vue
index 9c7e96c1..1ea29ef6 100644
--- a/UT4MasterServer.Web/src/pages/Profile/PlayerCard.vue
+++ b/UT4MasterServer.Web/src/pages/Profile/PlayerCard.vue
@@ -5,6 +5,38 @@
 <template>
   <h1>Player Card</h1>
   <div v-if="AccountStore.account" class="row">
+    <div v-if="!emailVerified">
+      <div
+        v-if="
+          verificationLinkSent ||
+          (verificationLinkGUID && !verificationLinkExpired)
+        "
+        class="alert alert-warning"
+      >
+        <div>
+          Email is not verified. Verify email via verification link that was
+          sent to your email and then refresh the page.
+        </div>
+      </div>
+      <div v-else class="alert alert-danger">
+        <LoadingPanel
+          :status="status"
+          error="Error occurred while sending verification link!"
+        >
+          <div>
+            Email is not verified. Click
+            <button
+              type="button"
+              class="btn btn-link p-0"
+              @click="sendVerificationLink"
+            >
+              here
+            </button>
+            to send the verification link.
+          </div>
+        </LoadingPanel>
+      </div>
+    </div>
     <div class="col-sm-6">
       <table class="table table-hover">
         <tbody>
@@ -74,5 +106,47 @@ img.avatar {
 </style>
 
 <script lang="ts" setup>
+import { shallowRef, computed } from 'vue';
 import { AccountStore } from '@/stores/account-store';
+import AccountService from '@/services/account.service';
+import LoadingPanel from '@/components/LoadingPanel.vue';
+import { AsyncStatus } from '@/types/async-status';
+import { Role } from '@/enums/role';
+
+const status = shallowRef(AsyncStatus.OK);
+const emailVerified = computed(() =>
+  AccountStore.account?.roles?.some((r) => r === Role.EmailVerified)
+);
+const verificationLinkGUID = computed(
+  () => AccountStore.account?.verificationLinkGUID
+);
+const verificationLinkExpired = computed(
+  () =>
+    AccountStore.account?.verificationLinkExpiration &&
+    new Date(AccountStore.account?.verificationLinkExpiration).getTime() <
+      Date.now()
+);
+const verificationLinkSent = shallowRef(false);
+
+const accountService = new AccountService();
+
+async function sendVerificationLink() {
+  try {
+    if (!AccountStore.account) return;
+
+    status.value = AsyncStatus.BUSY;
+
+    const formData = {
+      email: AccountStore.account.email
+    };
+
+    await accountService.resendVerificationLink(formData);
+
+    status.value = AsyncStatus.OK;
+    verificationLinkSent.value = true;
+  } catch (err: unknown) {
+    console.error('Error occurred while sending verification link:', err);
+    status.value = AsyncStatus.ERROR;
+  }
+}
 </script>
diff --git a/UT4MasterServer.Web/src/pages/Register.vue b/UT4MasterServer.Web/src/pages/Register.vue
index cfb44e44..ad4c9baa 100644
--- a/UT4MasterServer.Web/src/pages/Register.vue
+++ b/UT4MasterServer.Web/src/pages/Register.vue
@@ -149,7 +149,7 @@ async function register() {
     }
     await accountService.register(formData);
     status.value = AsyncStatus.OK;
-    router.push('/Login');
+    router.push(`/Login?verificationLinkSent=true`);
   } catch (err: unknown) {
     status.value = AsyncStatus.ERROR;
     errorMessage.value = (err as Error)?.message;
diff --git a/UT4MasterServer.Web/src/pages/ResetPassword.vue b/UT4MasterServer.Web/src/pages/ResetPassword.vue
new file mode 100644
index 00000000..4dcbd485
--- /dev/null
+++ b/UT4MasterServer.Web/src/pages/ResetPassword.vue
@@ -0,0 +1,132 @@
+<template>
+  <LoadingPanel
+    :status="status"
+    :error="errorMessage"
+    auto-load
+    @load="parseQueryValues"
+  >
+    <form @submit.prevent="resetPassword">
+      <fieldset>
+        <legend>Reset Password</legend>
+        <div
+          v-show="passwordChanged"
+          class="alert alert-dismissible alert-success"
+        >
+          <div>
+            Password changed successfully. Click
+            <RouterLink to="/Login">here</RouterLink> to go to login page.
+          </div>
+        </div>
+        <div v-show="!passwordChanged" class="form-group row">
+          <label for="newPassword" class="col-sm-12 col-form-label"
+            >New Password</label
+          >
+          <div class="col-sm-6">
+            <input
+              id="newPassword"
+              v-model="newPassword"
+              type="password"
+              class="form-control"
+              name="newPassword"
+              required
+              placeholder="New Password"
+              autofocus
+            />
+            <div class="invalid-feedback">New password is required</div>
+          </div>
+        </div>
+        <div v-show="!passwordChanged" class="form-group row">
+          <label for="confirmNewPassword" class="col-sm-12 col-form-label"
+            >Confirm New Password</label
+          >
+          <div class="col-sm-6">
+            <input
+              id="confirmNewPassword"
+              v-model="confirmNewPassword"
+              type="password"
+              class="form-control"
+              name="confirmNewPassword"
+              required
+              placeholder="Confirm New Password"
+              autofocus
+            />
+            <div class="invalid-feedback">Confirm new password is required</div>
+          </div>
+        </div>
+        <div v-show="!passwordChanged" class="form-group row">
+          <div class="col-sm-12">
+            <button
+              type="submit"
+              class="btn btn-primary"
+              :disabled="!formValid"
+              tabindex="2"
+            >
+              Change password
+            </button>
+          </div>
+        </div>
+      </fieldset>
+    </form>
+  </LoadingPanel>
+</template>
+
+<script setup lang="ts">
+import { shallowRef, computed } from 'vue';
+import { useRoute } from 'vue-router';
+import CryptoJS from 'crypto-js';
+import LoadingPanel from '@/components/LoadingPanel.vue';
+import { AsyncStatus } from '@/types/async-status';
+import { validatePassword } from '@/utils/validation';
+import AccountService from '@/services/account.service';
+
+const route = useRoute();
+const status = shallowRef(AsyncStatus.OK);
+const passwordChanged = shallowRef(false);
+const errorMessage = shallowRef('Error occurred while resetting password.');
+const accountId = shallowRef('');
+const guid = shallowRef('');
+const newPassword = shallowRef('');
+const confirmNewPassword = shallowRef('');
+const formValid = computed(
+  () =>
+    newPassword.value &&
+    validatePassword(newPassword.value) &&
+    confirmNewPassword.value &&
+    newPassword.value === confirmNewPassword.value
+);
+const accountService = new AccountService();
+
+function parseQueryValues() {
+  const { accountId: qAccountId, guid: qGuid } = route.query;
+
+  if (!qAccountId?.length || !qGuid?.length) {
+    status.value = AsyncStatus.ERROR;
+    errorMessage.value = 'Bad request';
+    return;
+  }
+
+  accountId.value = qAccountId as string;
+  guid.value = qGuid as string;
+}
+
+async function resetPassword() {
+  try {
+    status.value = AsyncStatus.BUSY;
+
+    const formData = {
+      accountId: accountId.value,
+      guid: guid.value,
+      newPassword: CryptoJS.SHA512(newPassword.value).toString()
+    };
+
+    await accountService.resetPassword(formData);
+
+    status.value = AsyncStatus.OK;
+    passwordChanged.value = true;
+  } catch (err: unknown) {
+    passwordChanged.value = false;
+    status.value = AsyncStatus.ERROR;
+    errorMessage.value = (err as Error)?.message;
+  }
+}
+</script>
diff --git a/UT4MasterServer.Web/src/pages/VerifyEmail.vue b/UT4MasterServer.Web/src/pages/VerifyEmail.vue
new file mode 100644
index 00000000..f566368c
--- /dev/null
+++ b/UT4MasterServer.Web/src/pages/VerifyEmail.vue
@@ -0,0 +1,57 @@
+<template>
+  <LoadingPanel
+    :status="status"
+    :error="errorMessage"
+    auto-load
+    @load="verifyEmail"
+  >
+    <div v-show="verified" class="alert alert-dismissible alert-success">
+      <div>
+        Email verified successfully.
+        <span v-if="!SessionStore.isAuthenticated"
+          >Click <a href="/Login">here</a> to go to the login page.</span
+        >
+      </div>
+    </div>
+  </LoadingPanel>
+</template>
+
+<script setup lang="ts">
+import { shallowRef } from 'vue';
+import { useRoute } from 'vue-router';
+import LoadingPanel from '@/components/LoadingPanel.vue';
+import { AsyncStatus } from '@/types/async-status';
+import AccountService from '@/services/account.service';
+import { SessionStore } from '@/stores/session-store';
+
+const status = shallowRef(AsyncStatus.OK);
+const errorMessage = shallowRef('Error occurred while verifying email.');
+const verified = shallowRef(false);
+const route = useRoute();
+const accountService = new AccountService();
+
+async function verifyEmail() {
+  try {
+    status.value = AsyncStatus.BUSY;
+    const { accountId, guid } = route.query;
+
+    if (!accountId?.length || !guid?.length) {
+      status.value = AsyncStatus.ERROR;
+      return;
+    }
+
+    const formData = {
+      accountId: accountId as string,
+      guid: guid as string
+    };
+
+    await accountService.verifyEmail(formData);
+
+    status.value = AsyncStatus.OK;
+    verified.value = true;
+  } catch (err: unknown) {
+    status.value = AsyncStatus.ERROR;
+    errorMessage.value = (err as Error)?.message;
+  }
+}
+</script>
diff --git a/UT4MasterServer.Web/src/routes.ts b/UT4MasterServer.Web/src/routes.ts
index 41b0fd29..682ebc45 100644
--- a/UT4MasterServer.Web/src/routes.ts
+++ b/UT4MasterServer.Web/src/routes.ts
@@ -98,11 +98,25 @@ export const routes: RouteRecordRaw[] = [
     component: async () => import('./pages/Register.vue'),
     beforeEnter: publicGuard
   },
+  {
+    path: `/VerifyEmail`,
+    component: async () => import('./pages/VerifyEmail.vue')
+  },
   {
     path: `/Login`,
     component: async () => import('./pages/Login.vue'),
     beforeEnter: publicGuard
   },
+  {
+    path: `/ForgotPassword`,
+    component: async () => import('./pages/ForgotPassword.vue'),
+    beforeEnter: publicGuard
+  },
+  {
+    path: `/ResetPassword`,
+    component: async () => import('./pages/ResetPassword.vue'),
+    beforeEnter: publicGuard
+  },
   {
     path: `/`,
     redirect: '/Login'
diff --git a/UT4MasterServer.Web/src/services/account.service.ts b/UT4MasterServer.Web/src/services/account.service.ts
index 98281f10..fa0f06ad 100644
--- a/UT4MasterServer.Web/src/services/account.service.ts
+++ b/UT4MasterServer.Web/src/services/account.service.ts
@@ -5,6 +5,10 @@ import { IChangePasswordRequest } from '@/types/change-password-request';
 import { IChangeUsernameRequest } from '@/types/change-username-request';
 import { IRegisterRequest } from '@/types/register-request';
 import { ISearchAccountsResponse } from '@/types/search-accounts-response';
+import { IVerifyEmailRequest } from '@/types/verify-email-request';
+import { IResendVerificationLinkRequest } from '@/types/resend-verification-link-request';
+import { IInitiateResetPasswordRequest } from '@/types/initiate-reset-password-request';
+import { IResetPasswordRequest } from '@/types/reset-password-request';
 import HttpService from './http.service';
 
 export default class AccountService extends HttpService {
@@ -66,4 +70,31 @@ export default class AccountService extends HttpService {
       false
     );
   }
+
+  async verifyEmail(request: IVerifyEmailRequest) {
+    return await this.post(`${this.baseUrl}/verify-email`, {
+      body: request
+    });
+  }
+
+  async resendVerificationLink(request: IResendVerificationLinkRequest) {
+    return await this.post(`${this.baseUrl}/resend-verification-link`, {
+      body: request
+    });
+  }
+
+  async initiateResetPassword(request: IInitiateResetPasswordRequest) {
+    return await this.post(`${this.baseUrl}/initiate-reset-password`, {
+      body: request
+    });
+  }
+
+  async resetPassword(request: IResetPasswordRequest) {
+    return await this.post<unknown, IResetPasswordRequest>(
+      `${this.baseUrl}/reset-password`,
+      {
+        body: request
+      }
+    );
+  }
 }
diff --git a/UT4MasterServer.Web/src/services/http.service.ts b/UT4MasterServer.Web/src/services/http.service.ts
index 5056a5b6..ec2581f4 100644
--- a/UT4MasterServer.Web/src/services/http.service.ts
+++ b/UT4MasterServer.Web/src/services/http.service.ts
@@ -1,3 +1,4 @@
+import { ErrorCode } from '@/enums/error-code';
 import { SessionStore } from '@/stores/session-store';
 
 type HttpMethod = 'GET' | 'POST' | 'PUT' | 'PATCH' | 'DELETE';
@@ -9,12 +10,14 @@ export interface HttpRequestOptions<T = unknown> {
 }
 
 export class HttpError {
-  code: number;
+  errorCode?: ErrorCode;
   message: string;
+  httpStatusCode?: number;
 
-  constructor(code: number, message: string) {
-    this.code = code;
+  constructor(message: string, errorCode?: ErrorCode, statusCode?: number) {
+    this.errorCode = errorCode;
     this.message = message;
+    this.httpStatusCode = statusCode;
   }
 }
 
@@ -68,10 +71,13 @@ export default class HttpService {
       const errorResponseText = await response
         .text()
         .catch(() => console.debug('Unable to read error body.'));
-      const errorMessage = errorResponseJson?.errorMessage ?? errorResponseText;
-      const errorCode = errorResponseJson?.errorCode ?? response.status;
-      const defaultErrorMessage = `HTTP request error - ${response.status}: ${response.statusText}`;
-      throw new HttpError(errorCode, errorMessage ?? defaultErrorMessage);
+      const errorMessage =
+        errorResponseJson?.errorMessage ??
+        errorResponseText ??
+        response.statusText;
+      const errorCode = errorResponseJson?.errorCode as ErrorCode;
+      const statusCode = response.status;
+      throw new HttpError(errorMessage, errorCode, statusCode);
     }
 
     const responseObj = await response.json().catch(() => {
diff --git a/UT4MasterServer.Web/src/types/account.ts b/UT4MasterServer.Web/src/types/account.ts
index 083ce8f9..f29332a2 100644
--- a/UT4MasterServer.Web/src/types/account.ts
+++ b/UT4MasterServer.Web/src/types/account.ts
@@ -22,4 +22,6 @@ export interface IAccountExtended extends IAccountWithRoles {
   flags: number;
   level: number;
   levelStockLimited: number;
+  verificationLinkGUID: string;
+  verificationLinkExpiration: Date;
 }
diff --git a/UT4MasterServer.Web/src/types/initiate-reset-password-request.ts b/UT4MasterServer.Web/src/types/initiate-reset-password-request.ts
new file mode 100644
index 00000000..13fd87df
--- /dev/null
+++ b/UT4MasterServer.Web/src/types/initiate-reset-password-request.ts
@@ -0,0 +1,3 @@
+export interface IInitiateResetPasswordRequest {
+  email: string;
+}
diff --git a/UT4MasterServer.Web/src/types/resend-verification-link-request.ts b/UT4MasterServer.Web/src/types/resend-verification-link-request.ts
new file mode 100644
index 00000000..b8160c7b
--- /dev/null
+++ b/UT4MasterServer.Web/src/types/resend-verification-link-request.ts
@@ -0,0 +1,3 @@
+export interface IResendVerificationLinkRequest {
+  email: string;
+}
diff --git a/UT4MasterServer.Web/src/types/reset-password-request.ts b/UT4MasterServer.Web/src/types/reset-password-request.ts
new file mode 100644
index 00000000..a857843d
--- /dev/null
+++ b/UT4MasterServer.Web/src/types/reset-password-request.ts
@@ -0,0 +1,5 @@
+export interface IResetPasswordRequest {
+  accountId: string;
+  guid: string;
+  newPassword: string;
+}
diff --git a/UT4MasterServer.Web/src/types/verify-email-request.ts b/UT4MasterServer.Web/src/types/verify-email-request.ts
new file mode 100644
index 00000000..5e9766ad
--- /dev/null
+++ b/UT4MasterServer.Web/src/types/verify-email-request.ts
@@ -0,0 +1,4 @@
+export interface IVerifyEmailRequest {
+  accountId: string;
+  guid: string;
+}
diff --git a/UT4MasterServer/Controllers/AdminPanelController.cs b/UT4MasterServer/Controllers/AdminPanelController.cs
index f1171e41..8b55aea3 100644
--- a/UT4MasterServer/Controllers/AdminPanelController.cs
+++ b/UT4MasterServer/Controllers/AdminPanelController.cs
@@ -1,258 +1,252 @@
-using Microsoft.AspNetCore.Mvc;
-using UT4MasterServer.Authentication;
-using UT4MasterServer.Common.Helpers;
-using UT4MasterServer.Models.Database;
-using UT4MasterServer.Models.DTO.Requests;
-using UT4MasterServer.Common;
-using UT4MasterServer.Services.Scoped;
-using UT4MasterServer.Services.Singleton;
-using UT4MasterServer.Models.DTO.Responses;
-using UT4MasterServer.Models;
-using UT4MasterServer.Models.Responses;
-using Microsoft.Net.Http.Headers;
-using UT4MasterServer.Common.Enums;
-
-namespace UT4MasterServer.Controllers;
-
-[ApiController]
-[Route("admin")]
-[AuthorizeBearer]
-public sealed class AdminPanelController : ControllerBase
-{
-	private readonly ILogger<AdminPanelController> logger;
-	private readonly AccountService accountService;
-	private readonly SessionService sessionService;
-	private readonly CodeService codeService;
-	private readonly FriendService friendService;
-	private readonly CloudStorageService cloudStorageService;
-	private readonly StatisticsService statisticsService;
-	private readonly ClientService clientService;
-	private readonly TrustedGameServerService trustedGameServerService;
-	private readonly RatingsService ratingsService;
-
-	private readonly MatchmakingService matchmakingService;
-
-	public AdminPanelController(
-		ILogger<AdminPanelController> logger,
-		AccountService accountService,
-		SessionService sessionService,
-		CodeService codeService,
-		FriendService friendService,
-		CloudStorageService cloudStorageService,
-		StatisticsService statisticsService,
-		ClientService clientService,
-		TrustedGameServerService trustedGameServerService,
-		RatingsService ratingsService,
-		MatchmakingService matchmakingService)
-	{
-		this.logger = logger;
-		this.accountService = accountService;
-		this.sessionService = sessionService;
-		this.codeService = codeService;
-		this.friendService = friendService;
-		this.cloudStorageService = cloudStorageService;
-		this.statisticsService = statisticsService;
-		this.clientService = clientService;
-		this.trustedGameServerService = trustedGameServerService;
-		this.ratingsService = ratingsService;
-		this.matchmakingService = matchmakingService;
-	}
-
-	#region Accounts
-
-	[HttpGet("flags")]
-	public async Task<IActionResult> GetAllPossibleFlags()
-	{
-		await VerifyAccessAsync(AccountFlags.ACL_AccountsLow, AccountFlags.ACL_AccountsHigh);
-
-		return Ok(Enum.GetNames<AccountFlags>().OrderBy(x => x));
-	}
-
-	[HttpGet("flags/{accountID}")]
-	public async Task<IActionResult> GetAccountFlags(string accountID)
-	{
-		await VerifyAccessAsync(AccountFlags.ACL_AccountsLow, AccountFlags.ACL_AccountsHigh);
-
-		AccountFlags? flags = await accountService.GetAccountFlagsAsync(EpicID.FromString(accountID));
-		if (flags == null)
-		{
-			return NotFound();
-		}
-
-		List<string>? result = EnumHelpers.EnumToStrings(flags.Value);
-		return Ok(result);
-	}
-
-	[HttpPut("flags/{accountID}")]
-	public async Task<IActionResult> SetAccountFlags(string accountID, [FromBody] string[] flagNames)
-	{
-		(Session Session, Account Account) admin = await VerifyAccessAsync(AccountFlags.ACL_AccountsLow, AccountFlags.ACL_AccountsHigh);
-
-		List<AccountFlags>? flags = EnumHelpers.StringsToEnumArray<AccountFlags>(flagNames);
-
-		Account? account = await accountService.GetAccountAsync(EpicID.FromString(accountID));
-		if (account == null)
-		{
-			return NotFound();
-		}
-
-		List<AccountFlags>? flagsOld = EnumHelpers.EnumFlagsToEnumArray(account.Flags);
-		AccountFlags adminFlags = admin.Account.Flags;
-
-		AccountFlags flagsAdded = EnumHelpers.EnumArrayToEnumFlags(flags.Where(x => !flagsOld.Contains(x)));
-		AccountFlags flagsRemoved = EnumHelpers.EnumArrayToEnumFlags(flagsOld.Where(x => !flags.Contains(x)));
-
-		LogLevel logLevel = LogLevel.Warning;
-
-		try
-		{
-			if (adminFlags.HasFlag(AccountFlags.Admin))
-			{
-				if (flagsRemoved.HasFlag(AccountFlags.Admin))
-				{
-					// TODO: there should be something like voting in order to pass this decision
-					return Unauthorized($"Cannot remove {nameof(AccountFlags.Admin)} flag, this action must be performed with direct access to database");
-				}
-
-				if (flagsAdded.HasFlag(AccountFlags.Admin))
-				{
-					// TODO: there should be something like voting in order to pass this decision
-				}
-			}
-			else if (adminFlags.HasFlag(AccountFlags.ACL_AccountsHigh))
-			{
-				if (flagsAdded.HasFlag(AccountFlags.Admin))
-				{
-					return Unauthorized($"Only {nameof(AccountFlags.Admin)} may add {nameof(AccountFlags.Admin)} flag to account");
-				}
-
-				if (flagsAdded.HasFlag(AccountFlags.ACL_AccountsHigh))
-				{
-					return Unauthorized($"Only {nameof(AccountFlags.Admin)} may add {nameof(AccountFlags.ACL_AccountsHigh)} flag to account");
-				}
-
-				if (flagsRemoved.HasFlag(AccountFlags.Admin))
-				{
-					return Unauthorized($"Cannot remove {nameof(AccountFlags.Admin)} flag");
-				}
-
-				if (AccountFlagsHelper.IsACLFlag(flagsRemoved))
-				{
-					return Unauthorized($"Only {nameof(AccountFlags.Admin)} may remove ACL flags");
-				}
-			}
-			else // if (adminFlags.HasFlag(AccountFlags.ACL_AccountsLow))
-			{
-				if (AccountFlagsHelper.IsACLFlag(flagsAdded))
-				{
-					return Unauthorized($"Only {nameof(AccountFlags.Admin)} may add ACL flags");
-				}
-
-				if (AccountFlagsHelper.IsACLFlag(flagsRemoved))
-				{
-					return Unauthorized($"Only {nameof(AccountFlags.Admin)} may remove ACL flags");
-				}
-			}
-
-			logLevel = LogLevel.Information;
-
-			if (flagsRemoved.HasFlag(AccountFlags.HubOwner))
-			{
-				await trustedGameServerService.RemoveAllByAccountAsync(account.ID);
-			}
-			await accountService.UpdateAccountFlagsAsync(account.ID, EnumHelpers.EnumArrayToEnumFlags(flags));
-
-			return Ok();
-		}
-		finally
-		{
-			logger.Log(
-				logLevel,
-				"{User} {OperationResultText} flags of {EditedUser}. | Added: {FlagsAdded} | Removed: {FlagsRemoved}",
-				admin.Account,
-				logLevel <= LogLevel.Information ? "edited" : "failed to edit",
-				account,
-				string.Join(", ", EnumHelpers.EnumToStrings(flagsAdded)),
-				string.Join(", ", EnumHelpers.EnumToStrings(flagsRemoved))
-			);
-		}
-	}
-
-	[HttpPatch("change_password/{id}")]
-	public async Task<IActionResult> ChangePassword(string id, [FromBody] AdminPanelChangePasswordRequest body)
-	{
-		(Session Session, Account Account) admin = await VerifyAccessAsync(AccountFlags.ACL_AccountsLow, AccountFlags.ACL_AccountsHigh);
-
-		Account? account = await accountService.GetAccountAsync(EpicID.FromString(id));
-		if (account is null)
-		{
-			return NotFound(new ErrorResponse() { ErrorMessage = $"Failed to find account {id}" });
-		}
-
-		AccountFlags flags = account.Flags;
-		LogLevel logLevel = LogLevel.Warning;
-
-		try
-		{
-			if (admin.Account.Flags.HasFlag(AccountFlags.Admin))
-			{
-				if (flags.HasFlag(AccountFlags.Admin))
-				{
-					return Unauthorized($"Cannot change password of another {nameof(AccountFlags.Admin)}");
-				}
-			}
-			else // if (admin.Account.Flags.HasFlag(AccountFlags.ACL_AccountsHigh) || adminFlags.HasFlag(AccountFlags.ACL_AccountsLow))
-			{
-				if (flags.HasFlag(AccountFlags.Admin))
-				{
-					return Unauthorized($"Cannot change password of {nameof(AccountFlags.Admin)} account");
-				}
-
-				if (AccountFlagsHelper.IsACLFlag(flags))
-				{
-					return Unauthorized("Cannot change password of an account with ACL flag");
-				}
-			}
-
-			// passwords should already be hashed, but check its length just in case
-			if (!ValidationHelper.ValidatePassword(body.NewPassword))
-			{
-				return BadRequest("newPassword is not a SHA512 hash");
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.Net.Http.Headers;
+using UT4MasterServer.Authentication;
+using UT4MasterServer.Common;
+using UT4MasterServer.Common.Enums;
+using UT4MasterServer.Common.Helpers;
+using UT4MasterServer.Models;
+using UT4MasterServer.Models.Database;
+using UT4MasterServer.Models.DTO.Request;
+using UT4MasterServer.Models.DTO.Requests;
+using UT4MasterServer.Models.DTO.Responses;
+using UT4MasterServer.Models.Responses;
+using UT4MasterServer.Services.Interfaces;
+using UT4MasterServer.Services.Scoped;
+
+namespace UT4MasterServer.Controllers;
+
+[ApiController]
+[Route("admin")]
+[AuthorizeBearer]
+public sealed class AdminPanelController : ControllerBase
+{
+	private readonly ILogger<AdminPanelController> logger;
+	private readonly AccountService accountService;
+	private readonly SessionService sessionService;
+	private readonly CloudStorageService cloudStorageService;
+	private readonly ClientService clientService;
+	private readonly TrustedGameServerService trustedGameServerService;
+	private readonly MatchmakingService matchmakingService;
+	private readonly CleanupService cleanupService;
+	private readonly IEmailService emailService;
+
+	public AdminPanelController(
+		ILogger<AdminPanelController> logger,
+		AccountService accountService,
+		SessionService sessionService,
+		CloudStorageService cloudStorageService,
+		ClientService clientService,
+		TrustedGameServerService trustedGameServerService,
+		MatchmakingService matchmakingService,
+		CleanupService cleanupService,
+		IEmailService emailService)
+	{
+		this.logger = logger;
+		this.accountService = accountService;
+		this.sessionService = sessionService;
+		this.cloudStorageService = cloudStorageService;
+		this.clientService = clientService;
+		this.trustedGameServerService = trustedGameServerService;
+		this.matchmakingService = matchmakingService;
+		this.cleanupService = cleanupService;
+		this.emailService = emailService;
+	}
+
+	#region Accounts
+
+	[HttpGet("flags")]
+	public async Task<IActionResult> GetAllPossibleFlags()
+	{
+		await VerifyAccessAsync(AccountFlags.ACL_AccountsLow, AccountFlags.ACL_AccountsHigh);
+
+		return Ok(Enum.GetNames<AccountFlags>().OrderBy(x => x));
+	}
+
+	[HttpGet("flags/{accountID}")]
+	public async Task<IActionResult> GetAccountFlags(string accountID)
+	{
+		await VerifyAccessAsync(AccountFlags.ACL_AccountsLow, AccountFlags.ACL_AccountsHigh);
+
+		AccountFlags? flags = await accountService.GetAccountFlagsAsync(EpicID.FromString(accountID));
+		if (flags == null)
+		{
+			return NotFound();
+		}
+
+		List<string>? result = EnumHelpers.EnumToStrings(flags.Value);
+		return Ok(result);
+	}
+
+	[HttpPut("flags/{accountID}")]
+	public async Task<IActionResult> SetAccountFlags(string accountID, [FromBody] string[] flagNames)
+	{
+		(Session Session, Account Account) admin = await VerifyAccessAsync(AccountFlags.ACL_AccountsLow, AccountFlags.ACL_AccountsHigh);
+
+		List<AccountFlags>? flags = EnumHelpers.StringsToEnumArray<AccountFlags>(flagNames);
+
+		Account? account = await accountService.GetAccountAsync(EpicID.FromString(accountID));
+		if (account == null)
+		{
+			return NotFound();
+		}
+
+		List<AccountFlags>? flagsOld = EnumHelpers.EnumFlagsToEnumArray(account.Flags);
+		AccountFlags adminFlags = admin.Account.Flags;
+
+		AccountFlags flagsAdded = EnumHelpers.EnumArrayToEnumFlags(flags.Where(x => !flagsOld.Contains(x)));
+		AccountFlags flagsRemoved = EnumHelpers.EnumArrayToEnumFlags(flagsOld.Where(x => !flags.Contains(x)));
+
+		LogLevel logLevel = LogLevel.Warning;
+
+		try
+		{
+			if (adminFlags.HasFlag(AccountFlags.Admin))
+			{
+				if (flagsRemoved.HasFlag(AccountFlags.Admin))
+				{
+					// TODO: there should be something like voting in order to pass this decision
+					return Unauthorized($"Cannot remove {nameof(AccountFlags.Admin)} flag, this action must be performed with direct access to database");
+				}
+
+				if (flagsAdded.HasFlag(AccountFlags.Admin))
+				{
+					// TODO: there should be something like voting in order to pass this decision
+				}
+			}
+			else if (adminFlags.HasFlag(AccountFlags.ACL_AccountsHigh))
+			{
+				if (flagsAdded.HasFlag(AccountFlags.Admin))
+				{
+					return Unauthorized($"Only {nameof(AccountFlags.Admin)} may add {nameof(AccountFlags.Admin)} flag to account");
+				}
+
+				if (flagsAdded.HasFlag(AccountFlags.ACL_AccountsHigh))
+				{
+					return Unauthorized($"Only {nameof(AccountFlags.Admin)} may add {nameof(AccountFlags.ACL_AccountsHigh)} flag to account");
+				}
+
+				if (flagsRemoved.HasFlag(AccountFlags.Admin))
+				{
+					return Unauthorized($"Cannot remove {nameof(AccountFlags.Admin)} flag");
+				}
+
+				if (AccountFlagsHelper.IsACLFlag(flagsRemoved))
+				{
+					return Unauthorized($"Only {nameof(AccountFlags.Admin)} may remove ACL flags");
+				}
+			}
+			else // if (adminFlags.HasFlag(AccountFlags.ACL_AccountsLow))
+			{
+				if (AccountFlagsHelper.IsACLFlag(flagsAdded))
+				{
+					return Unauthorized($"Only {nameof(AccountFlags.Admin)} may add ACL flags");
+				}
+
+				if (AccountFlagsHelper.IsACLFlag(flagsRemoved))
+				{
+					return Unauthorized($"Only {nameof(AccountFlags.Admin)} may remove ACL flags");
+				}
+			}
+
+			logLevel = LogLevel.Information;
+
+			if (flagsRemoved.HasFlag(AccountFlags.HubOwner))
+			{
+				await trustedGameServerService.RemoveAllByAccountAsync(account.ID);
+			}
+			await accountService.UpdateAccountFlagsAsync(account.ID, EnumHelpers.EnumArrayToEnumFlags(flags));
+
+			return Ok();
+		}
+		finally
+		{
+			logger.Log(
+				logLevel,
+				"{User} {OperationResultText} flags of {EditedUser}. | Added: {FlagsAdded} | Removed: {FlagsRemoved}",
+				admin.Account,
+				logLevel <= LogLevel.Information ? "edited" : "failed to edit",
+				account,
+				string.Join(", ", EnumHelpers.EnumToStrings(flagsAdded)),
+				string.Join(", ", EnumHelpers.EnumToStrings(flagsRemoved))
+			);
+		}
+	}
+
+	[HttpPatch("change_password/{id}")]
+	public async Task<IActionResult> ChangePassword(string id, [FromBody] AdminPanelChangePasswordRequest body)
+	{
+		(Session Session, Account Account) admin = await VerifyAccessAsync(AccountFlags.ACL_AccountsLow, AccountFlags.ACL_AccountsHigh);
+
+		Account? account = await accountService.GetAccountAsync(EpicID.FromString(id));
+		if (account is null)
+		{
+			return NotFound(new ErrorResponse() { ErrorMessage = $"Failed to find account {id}" });
+		}
+
+		AccountFlags flags = account.Flags;
+		LogLevel logLevel = LogLevel.Warning;
+
+		try
+		{
+			if (admin.Account.Flags.HasFlag(AccountFlags.Admin))
+			{
+				if (flags.HasFlag(AccountFlags.Admin))
+				{
+					return Unauthorized($"Cannot change password of another {nameof(AccountFlags.Admin)}");
+				}
+			}
+			else // if (admin.Account.Flags.HasFlag(AccountFlags.ACL_AccountsHigh) || adminFlags.HasFlag(AccountFlags.ACL_AccountsLow))
+			{
+				if (flags.HasFlag(AccountFlags.Admin))
+				{
+					return Unauthorized($"Cannot change password of {nameof(AccountFlags.Admin)} account");
+				}
+
+				if (AccountFlagsHelper.IsACLFlag(flags))
+				{
+					return Unauthorized("Cannot change password of an account with ACL flag");
+				}
+			}
+
+			// passwords should already be hashed, but check its length just in case
+			if (!ValidationHelper.ValidatePassword(body.NewPassword))
+			{
+				return BadRequest("newPassword is not a SHA512 hash");
 			}
 
 			if (account.Email != body.Email)
 			{
 				return BadRequest("Invalid email");
 			}
-
-			if (body.IAmSure != true)
-			{
-				return BadRequest("'iAmSure' was not 'true'");
-			}
-
-			await accountService.UpdateAccountPasswordAsync(account.ID, body.NewPassword);
-
-			// logout user to make sure they remember the changed password by being forced to log in again,
-			// as well as prevent anyone else from using this account after successful password change.
-			await sessionService.RemoveSessionsWithFilterAsync(EpicID.Empty, account.ID, EpicID.Empty);
-
-			return Ok();
-		}
-		finally
-		{
-			logger.Log(
-				logLevel,
-				"{User} {OperationResultText} password of {EditedUser}.",
-				admin.Account,
-				logLevel <= LogLevel.Information ? "changed" : "was not authorized to change",
-				account
-			);
-		}
-	}
-
-	[HttpDelete("account/{id}")]
-	public async Task<IActionResult> DeleteAccountInfo(string id, [FromBody] bool? forceCheckBroken)
-	{
+
+			if (body.IAmSure != true)
+			{
+				return BadRequest("'iAmSure' was not 'true'");
+			}
+
+			await accountService.UpdateAccountPasswordAsync(account.ID, body.NewPassword);
+
+			// logout user to make sure they remember the changed password by being forced to log in again,
+			// as well as prevent anyone else from using this account after successful password change.
+			await sessionService.RemoveSessionsWithFilterAsync(EpicID.Empty, account.ID, EpicID.Empty);
+
+			return Ok();
+		}
+		finally
+		{
+			logger.Log(
+				logLevel,
+				"{User} {OperationResultText} password of {EditedUser}.",
+				admin.Account,
+				logLevel <= LogLevel.Information ? "changed" : "was not authorized to change",
+				account
+			);
+		}
+	}
+
+	[HttpDelete("account/{id}")]
+	public async Task<IActionResult> DeleteAccountInfo(string id, [FromBody] bool? forceCheckBroken)
+	{
 		(Session Session, Account Account) admin = await VerifyAccessAsync(AccountFlags.ACL_AccountsHigh | AccountFlags.ACL_Maintenance);
 
 		var accountID = EpicID.FromString(id);
@@ -293,370 +287,375 @@ public async Task<IActionResult> DeleteAccountInfo(string id, [FromBody] bool? f
 				{
 					return Unauthorized("You do not possess sufficient permissions to delete an existing account");
 				}
-
-				await accountService.RemoveAccountAsync(account.ID);
 			}
 
-			// remove all associated data
-			await sessionService.RemoveSessionsWithFilterAsync(EpicID.Empty, accountID, EpicID.Empty);
-			await codeService.RemoveAllByAccountAsync(accountID);
-			await cloudStorageService.RemoveAllByAccountAsync(accountID);
-			await statisticsService.RemoveAllByAccountAsync(accountID);
-			await ratingsService.RemoveAllByAccountAsync(accountID);
-			await friendService.RemoveAllByAccountAsync(accountID);
-			await trustedGameServerService.RemoveAllByAccountAsync(accountID);
-			// NOTE: missing removal of account from live servers. this should take care of itself in a relatively short time.
+			// Remove account and all of its associated data
+			await cleanupService.RemoveAccountAndAssociatedDataAsync(accountID);
 
 			logLevel = LogLevel.Information;
 
 			return Ok();
 		}
 		finally
-		{
-			logger.Log(
-				logLevel,
-				"{User} {OperationResultText} account of {EditedUser}.",
-				admin.Account,
-				logLevel <= LogLevel.Information ? "deleted" : "was not authorized to delete",
-				account
+		{
+			logger.Log(
+				logLevel,
+				"{User} {OperationResultText} account of {EditedUser}.",
+				admin.Account,
+				logLevel <= LogLevel.Information ? "deleted" : "was not authorized to delete",
+				account
 			);
-		}
-	}
-
-	#endregion
-
-	#region Clients
-
-	[HttpPost("clients/new")]
-	public async Task<IActionResult> CreateClient([FromBody] string name)
-	{
-		await VerifyAccessAsync(AccountFlags.ACL_Clients);
-
-		var client = new Client(EpicID.GenerateNew(), EpicID.GenerateNew().ToString(), name);
-		await clientService.UpdateAsync(client);
-
-		return Ok(client);
-	}
-
-	[HttpGet("clients")]
-	public async Task<IActionResult> GetAllClients()
-	{
-		await VerifyAccessAsync(AccountFlags.ACL_Clients);
-
-		List<Client>? clients = await clientService.ListAsync();
-		return Ok(clients);
-	}
-
-	[HttpGet("clients/{id}")]
-	public async Task<IActionResult> GetClient(string id)
-	{
-		await VerifyAccessAsync(AccountFlags.ACL_Clients);
-
-		Client? client = await clientService.GetAsync(EpicID.FromString(id));
-		if (client == null)
-		{
-			return NotFound();
-		}
-
-		return Ok(client);
-	}
-
-	[HttpPatch("clients/{id}")]
-	public async Task<IActionResult> UpdateClient(string id, [FromBody] Client client)
-	{
-		await VerifyAccessAsync(AccountFlags.ACL_Clients);
-
-		var eid = EpicID.FromString(id);
-
-		if (eid != client.ID)
-		{
-			return BadRequest();
-		}
-
-		if (IsSpecialClientID(eid))
-		{
-			return Forbid("Cannot modify reserved clients");
-		}
-
-		Task<bool?>? taskUpdateClient = clientService.UpdateAsync(client);
-		Task? taskUpdateServerName = matchmakingService.UpdateServerNameAsync(client.ID, client.Name);
-
-		await taskUpdateClient;
-		await taskUpdateServerName;
-
-		return Ok();
-	}
-
-	[HttpDelete("clients/{id}")]
-	public async Task<IActionResult> DeleteClient(string id)
-	{
-		await VerifyAccessAsync(AccountFlags.ACL_Clients);
-
-		var eid = EpicID.FromString(id);
-
-		if (IsSpecialClientID(eid))
-		{
-			return Forbid("Cannot delete reserved clients");
-		}
-
-		var success = await clientService.RemoveAsync(eid);
-		if (success != true)
-		{
-			return BadRequest();
-		}
-
-		// in case this client is a trusted server remove, it as well
-		await trustedGameServerService.RemoveAsync(eid);
-
-		return Ok();
-	}
-
-	#endregion
-
-	#region Trusted Servers
-
-	[HttpGet("trusted_servers")]
-	public async Task<IActionResult> GetAllTrustedServers()
-	{
-		await VerifyAccessAsync(AccountFlags.ACL_TrustedServers);
-
-		List<TrustedGameServer>? trustedServers = await trustedGameServerService.ListAsync();
-
-		IEnumerable<EpicID>? trustedServerIDs = trustedServers.Select(t => t.ID);
-		IEnumerable<EpicID>? trustedServerOwnerIDs = trustedServers.Select(t => t.OwnerID).Distinct();
-
-		Task<List<Client>>? taskClients = clientService.GetManyAsync(trustedServerIDs);
-		Task<IEnumerable<Account>>? taskAccounts = accountService.GetAccountsAsync(trustedServerOwnerIDs);
-
-		List<Client>? clients = await taskClients;
-		IEnumerable<Account>? accounts = await taskAccounts;
-
-		IEnumerable<TrustedGameServerResponse>? response = trustedServers.Select(t => new TrustedGameServerResponse
-		{
-			ID = t.ID,
-			OwnerID = t.OwnerID,
-			TrustLevel = t.TrustLevel,
-			Client = clients.SingleOrDefault(c => c.ID == t.ID),
-			Owner = accounts.SingleOrDefault(a => a.ID == t.OwnerID)
-		});
-		return Ok(response);
-	}
-
-	[HttpGet("trusted_servers/{id}")]
-	public async Task<IActionResult> GetTrustedServer(string id)
-	{
-		await VerifyAccessAsync(AccountFlags.ACL_TrustedServers);
-
-		TrustedGameServer? ret = await trustedGameServerService.GetAsync(EpicID.FromString(id));
-		return Ok(ret);
-	}
-
-	[HttpPost("trusted_servers")]
-	public async Task<IActionResult> CreateTrustedServer([FromBody] TrustedGameServer body)
-	{
-		await VerifyAccessAsync(AccountFlags.ACL_TrustedServers);
-
-		Client? client = await clientService.GetAsync(body.ID);
-		if (client is null)
-		{
-			return BadRequest("Trusted server does not have a matching client with same ID");
-		}
-
-		TrustedGameServer? server = await trustedGameServerService.GetAsync(body.ID);
-		if (server is not null)
-		{
-			return BadRequest($"Trusted server {body.ID} already exists");
-		}
-
-		Account? owner = await accountService.GetAccountAsync(body.OwnerID);
-		if (owner is null)
-		{
-			return BadRequest($"OwnerID {body.OwnerID} is not a valid account ID");
-		}
-
-		if (!owner.Flags.HasFlag(AccountFlags.HubOwner))
-		{
-			return BadRequest($"Account specified with OwnerID {body.OwnerID} is not marked as HubOwner");
-		}
-
-		await trustedGameServerService.UpdateAsync(body);
+		}
+	}
+
+	#endregion
+
+	#region Clients
+
+	[HttpPost("clients/new")]
+	public async Task<IActionResult> CreateClient([FromBody] string name)
+	{
+		await VerifyAccessAsync(AccountFlags.ACL_Clients);
+
+		var client = new Client(EpicID.GenerateNew(), EpicID.GenerateNew().ToString(), name);
+		await clientService.UpdateAsync(client);
+
+		return Ok(client);
+	}
+
+	[HttpGet("clients")]
+	public async Task<IActionResult> GetAllClients()
+	{
+		await VerifyAccessAsync(AccountFlags.ACL_Clients);
+
+		List<Client>? clients = await clientService.ListAsync();
+		return Ok(clients);
+	}
+
+	[HttpGet("clients/{id}")]
+	public async Task<IActionResult> GetClient(string id)
+	{
+		await VerifyAccessAsync(AccountFlags.ACL_Clients);
+
+		Client? client = await clientService.GetAsync(EpicID.FromString(id));
+		if (client == null)
+		{
+			return NotFound();
+		}
+
+		return Ok(client);
+	}
+
+	[HttpPatch("clients/{id}")]
+	public async Task<IActionResult> UpdateClient(string id, [FromBody] Client client)
+	{
+		await VerifyAccessAsync(AccountFlags.ACL_Clients);
+
+		var eid = EpicID.FromString(id);
+
+		if (eid != client.ID)
+		{
+			return BadRequest();
+		}
+
+		if (IsSpecialClientID(eid))
+		{
+			return Forbid("Cannot modify reserved clients");
+		}
+
+		Task<bool?>? taskUpdateClient = clientService.UpdateAsync(client);
+		Task? taskUpdateServerName = matchmakingService.UpdateServerNameAsync(client.ID, client.Name);
+
+		await taskUpdateClient;
+		await taskUpdateServerName;
+
+		return Ok();
+	}
+
+	[HttpDelete("clients/{id}")]
+	public async Task<IActionResult> DeleteClient(string id)
+	{
+		await VerifyAccessAsync(AccountFlags.ACL_Clients);
+
+		var eid = EpicID.FromString(id);
+
+		if (IsSpecialClientID(eid))
+		{
+			return Forbid("Cannot delete reserved clients");
+		}
+
+		var success = await clientService.RemoveAsync(eid);
+		if (success != true)
+		{
+			return BadRequest();
+		}
+
+		// in case this client is a trusted server remove, it as well
+		await trustedGameServerService.RemoveAsync(eid);
+
+		return Ok();
+	}
+
+	#endregion
+
+	#region Trusted Servers
+
+	[HttpGet("trusted_servers")]
+	public async Task<IActionResult> GetAllTrustedServers()
+	{
+		await VerifyAccessAsync(AccountFlags.ACL_TrustedServers);
+
+		List<TrustedGameServer>? trustedServers = await trustedGameServerService.ListAsync();
+
+		IEnumerable<EpicID>? trustedServerIDs = trustedServers.Select(t => t.ID);
+		IEnumerable<EpicID>? trustedServerOwnerIDs = trustedServers.Select(t => t.OwnerID).Distinct();
+
+		Task<List<Client>>? taskClients = clientService.GetManyAsync(trustedServerIDs);
+		Task<IEnumerable<Account>>? taskAccounts = accountService.GetAccountsAsync(trustedServerOwnerIDs);
+
+		List<Client>? clients = await taskClients;
+		IEnumerable<Account>? accounts = await taskAccounts;
+
+		IEnumerable<TrustedGameServerResponse>? response = trustedServers.Select(t => new TrustedGameServerResponse
+		{
+			ID = t.ID,
+			OwnerID = t.OwnerID,
+			TrustLevel = t.TrustLevel,
+			Client = clients.SingleOrDefault(c => c.ID == t.ID),
+			Owner = accounts.SingleOrDefault(a => a.ID == t.OwnerID)
+		});
+		return Ok(response);
+	}
+
+	[HttpGet("trusted_servers/{id}")]
+	public async Task<IActionResult> GetTrustedServer(string id)
+	{
+		await VerifyAccessAsync(AccountFlags.ACL_TrustedServers);
+
+		TrustedGameServer? ret = await trustedGameServerService.GetAsync(EpicID.FromString(id));
+		return Ok(ret);
+	}
+
+	[HttpPost("trusted_servers")]
+	public async Task<IActionResult> CreateTrustedServer([FromBody] TrustedGameServer body)
+	{
+		await VerifyAccessAsync(AccountFlags.ACL_TrustedServers);
+
+		Client? client = await clientService.GetAsync(body.ID);
+		if (client is null)
+		{
+			return BadRequest("Trusted server does not have a matching client with same ID");
+		}
+
+		TrustedGameServer? server = await trustedGameServerService.GetAsync(body.ID);
+		if (server is not null)
+		{
+			return BadRequest($"Trusted server {body.ID} already exists");
+		}
+
+		Account? owner = await accountService.GetAccountAsync(body.OwnerID);
+		if (owner is null)
+		{
+			return BadRequest($"OwnerID {body.OwnerID} is not a valid account ID");
+		}
+
+		if (!owner.Flags.HasFlag(AccountFlags.HubOwner))
+		{
+			return BadRequest($"Account specified with OwnerID {body.OwnerID} is not marked as HubOwner");
+		}
+
+		await trustedGameServerService.UpdateAsync(body);
 		await matchmakingService.UpdateTrustLevelAsync(body.ID, body.TrustLevel);
-
-		return Ok();
-	}
-
-	[HttpPatch("trusted_servers/{id}")]
-	public async Task<IActionResult> UpdateTrustedServer(string id, [FromBody] TrustedGameServer server)
-	{
-		await VerifyAccessAsync(AccountFlags.ACL_TrustedServers);
-
-		var eid = EpicID.FromString(id);
-
-		if (eid != server.ID)
-		{
-			return BadRequest();
-		}
-
-		await trustedGameServerService.UpdateAsync(server);
-		await matchmakingService.UpdateTrustLevelAsync(server.ID, server.TrustLevel);
-
-		return Ok();
-	}
-
-	[HttpDelete("trusted_servers/{id}")]
-	public async Task<IActionResult> DeleteTrustedServer(string id)
-	{
-		await VerifyAccessAsync(AccountFlags.ACL_TrustedServers);
-
-		var eid = EpicID.FromString(id);
-		var ret = await trustedGameServerService.RemoveAsync(eid);
-
-		await matchmakingService.UpdateTrustLevelAsync(eid, GameServerTrust.Untrusted);
-
-		return Ok(ret);
-	}
-
-	#endregion
-
-	#region Cloud Storage
-
-	[HttpGet("mcp_files")]
-	public async Task<IActionResult> GetMCPFiles()
-	{
-		(Session Session, Account Account) admin = await VerifyAccessAsync(AccountFlags.ACL_CloudStorageAnnouncements | AccountFlags.ACL_CloudStorageRulesets | AccountFlags.ACL_CloudStorageChallenges);
-		List<CloudFile>? files = await cloudStorageService.ListFilesAsync(EpicID.Empty, false);
-		IEnumerable<CloudFileAdminPanelResponse>? responseFiles = files.Select(x => new CloudFileAdminPanelResponse(x, IsAccessibleCloudStorageFile(admin.Account.Flags, x.Filename)));
-		return Ok(responseFiles);
-	}
-
-	[HttpPost("mcp_files")]
-	public async Task<IActionResult> UpdateMCPFile()
-	{
-		(Session Session, Account Account) admin = await VerifyAccessAsync(AccountFlags.ACL_CloudStorageAnnouncements | AccountFlags.ACL_CloudStorageRulesets | AccountFlags.ACL_CloudStorageChallenges);
-
-		IFormCollection? formCollection = await Request.ReadFormAsync();
-		if (formCollection.Files.Count < 1)
-		{
-			return BadRequest("Missing file");
-		}
-
-		IFormFile? file = formCollection.Files[0];
-		var filename = ContentDispositionHeaderValue.Parse(file.ContentDisposition).FileName.ToString().Trim('"');
-		if (file.Length <= 0)
-		{
-			return BadRequest("Cannot upload empty file");
-		}
-
-		if (!IsAccessibleCloudStorageFile(admin.Account.Flags, filename))
-		{
-			return Unauthorized("You are not authorized to upload this file");
-		}
-
-		using (Stream? stream = file.OpenReadStream())
-		{
-			await cloudStorageService.UpdateFileAsync(EpicID.Empty, filename, stream);
-		}
-		return Ok();
-	}
-
-	[HttpGet("mcp_files/{filename}"), Produces("application/octet-stream")]
-	public async Task<IActionResult> GetMCPFile(string filename)
-	{
-		(Session Session, Account Account) admin = await VerifyAccessAsync(AccountFlags.ACL_CloudStorageAnnouncements | AccountFlags.ACL_CloudStorageRulesets | AccountFlags.ACL_CloudStorageChallenges);
-
-		CloudFile? file = await cloudStorageService.GetFileAsync(EpicID.Empty, filename);
-		if (file is null)
-		{
-			return NotFound(new ErrorResponse() { ErrorMessage = "File not found" });
-		}
-
-		return new FileContentResult(file.RawContent, "application/octet-stream");
-	}
-
-	[HttpDelete("mcp_files/{filename}")]
-	public async Task<IActionResult> DeleteMCPFile(string filename)
-	{
-		(Session Session, Account Account) admin = await VerifyAccessAsync(AccountFlags.ACL_CloudStorageAnnouncements | AccountFlags.ACL_CloudStorageRulesets | AccountFlags.ACL_CloudStorageChallenges);
-
-		if (!IsAccessibleCloudStorageFile(admin.Account.Flags, filename))
-		{
-			return Unauthorized("You are not authorized to delete this file");
-		}
-
-		if (await cloudStorageService.DeleteFileAsync(EpicID.Empty, filename) != true)
-		{
-			return Forbid("Cannot delete file. Either this file is not deletable or something went wrong.");
-		}
-		return Ok();
+
+		return Ok();
+	}
+
+	[HttpPatch("trusted_servers/{id}")]
+	public async Task<IActionResult> UpdateTrustedServer(string id, [FromBody] TrustedGameServer server)
+	{
+		await VerifyAccessAsync(AccountFlags.ACL_TrustedServers);
+
+		var eid = EpicID.FromString(id);
+
+		if (eid != server.ID)
+		{
+			return BadRequest();
+		}
+
+		await trustedGameServerService.UpdateAsync(server);
+		await matchmakingService.UpdateTrustLevelAsync(server.ID, server.TrustLevel);
+
+		return Ok();
+	}
+
+	[HttpDelete("trusted_servers/{id}")]
+	public async Task<IActionResult> DeleteTrustedServer(string id)
+	{
+		await VerifyAccessAsync(AccountFlags.ACL_TrustedServers);
+
+		var eid = EpicID.FromString(id);
+		var ret = await trustedGameServerService.RemoveAsync(eid);
+
+		await matchmakingService.UpdateTrustLevelAsync(eid, GameServerTrust.Untrusted);
+
+		return Ok(ret);
+	}
+
+	#endregion
+
+	#region Cloud Storage
+
+	[HttpGet("mcp_files")]
+	public async Task<IActionResult> GetMCPFiles()
+	{
+		(Session Session, Account Account) admin = await VerifyAccessAsync(AccountFlags.ACL_CloudStorageAnnouncements | AccountFlags.ACL_CloudStorageRulesets | AccountFlags.ACL_CloudStorageChallenges);
+		List<CloudFile>? files = await cloudStorageService.ListFilesAsync(EpicID.Empty, false);
+		IEnumerable<CloudFileAdminPanelResponse>? responseFiles = files.Select(x => new CloudFileAdminPanelResponse(x, IsAccessibleCloudStorageFile(admin.Account.Flags, x.Filename)));
+		return Ok(responseFiles);
 	}
 
-	#endregion
-
-	[NonAction]
-	private async Task<(Session Session, Account Account)> VerifyAccessAsync(params AccountFlags[] aclAny)
-	{
-		if (User.Identity is not EpicUserIdentity user)
-		{
-			throw new UnauthorizedAccessException("User not logged in");
-		}
-
-		Account? account = await accountService.GetAccountAsync(user.Session.AccountID);
-		if (account == null)
-		{
-			throw new UnauthorizedAccessException("User not found");
-		}
-
-		AccountFlags combinedAcl = aclAny.Aggregate((x, y) => x | y) | AccountFlags.Admin;
-
-		if (!account.Flags.HasFlagAny(combinedAcl))
-		{
-			throw new UnauthorizedAccessException("User has insufficient privileges");
-		}
-
-		return (user.Session, account);
-	}
-
-	[NonAction]
-	private static bool IsSpecialClientID(EpicID id)
-	{
-		if (id == ClientIdentification.Game.ID || id == ClientIdentification.ServerInstance.ID || id == ClientIdentification.Launcher.ID)
-		{
-			return true;
-		}
-
-		return false;
-	}
-
-	[NonAction]
-	private static bool IsAccessibleCloudStorageFile(AccountFlags flags, string filename)
-	{
-		if (flags.HasFlag(AccountFlags.Admin))
-		{
-			return true;
-		}
-		if (flags.HasFlag(AccountFlags.ACL_CloudStorageAnnouncements))
-		{
-			if (filename == "UnrealTournmentMCPAnnouncement.json" || filename.StartsWith("news-"))
-			{
-				return true;
-			}
-		}
-		if (flags.HasFlag(AccountFlags.ACL_CloudStorageRulesets))
-		{
-			var allowedFilenames = new[] { "UTMCPPlaylists.json", "UnrealTournamentOnlineSettings.json", "UnrealTournmentMCPGameRulesets.json" };
-			if (allowedFilenames.Contains(filename))
-			{
-				return true;
-			}
-		}
-		if (flags.HasFlag(AccountFlags.ACL_CloudStorageChallenges))
-		{
-			if (filename == "UnrealTournmentMCPStorage.json")
-			{
-				return true;
-			}
-		}
-
-		return false;
-	}
-}
+	[HttpPost("mcp_files")]
+	public async Task<IActionResult> UpdateMCPFile()
+	{
+		(Session Session, Account Account) admin = await VerifyAccessAsync(AccountFlags.ACL_CloudStorageAnnouncements | AccountFlags.ACL_CloudStorageRulesets | AccountFlags.ACL_CloudStorageChallenges);
+
+		IFormCollection? formCollection = await Request.ReadFormAsync();
+		if (formCollection.Files.Count < 1)
+		{
+			return BadRequest("Missing file");
+		}
+
+		IFormFile? file = formCollection.Files[0];
+		var filename = ContentDispositionHeaderValue.Parse(file.ContentDisposition).FileName.ToString().Trim('"');
+		if (file.Length <= 0)
+		{
+			return BadRequest("Cannot upload empty file");
+		}
+
+		if (!IsAccessibleCloudStorageFile(admin.Account.Flags, filename))
+		{
+			return Unauthorized("You are not authorized to upload this file");
+		}
+
+		using (Stream? stream = file.OpenReadStream())
+		{
+			await cloudStorageService.UpdateFileAsync(EpicID.Empty, filename, stream);
+		}
+		return Ok();
+	}
+
+	[HttpGet("mcp_files/{filename}"), Produces("application/octet-stream")]
+	public async Task<IActionResult> GetMCPFile(string filename)
+	{
+		(Session Session, Account Account) admin = await VerifyAccessAsync(AccountFlags.ACL_CloudStorageAnnouncements | AccountFlags.ACL_CloudStorageRulesets | AccountFlags.ACL_CloudStorageChallenges);
+
+		CloudFile? file = await cloudStorageService.GetFileAsync(EpicID.Empty, filename);
+		if (file is null)
+		{
+			return NotFound(new ErrorResponse() { ErrorMessage = "File not found" });
+		}
+
+		return new FileContentResult(file.RawContent, "application/octet-stream");
+	}
+
+	[HttpDelete("mcp_files/{filename}")]
+	public async Task<IActionResult> DeleteMCPFile(string filename)
+	{
+		(Session Session, Account Account) admin = await VerifyAccessAsync(AccountFlags.ACL_CloudStorageAnnouncements | AccountFlags.ACL_CloudStorageRulesets | AccountFlags.ACL_CloudStorageChallenges);
+
+		if (!IsAccessibleCloudStorageFile(admin.Account.Flags, filename))
+		{
+			return Unauthorized("You are not authorized to delete this file");
+		}
+
+		if (await cloudStorageService.DeleteFileAsync(EpicID.Empty, filename) != true)
+		{
+			return Forbid("Cannot delete file. Either this file is not deletable or something went wrong.");
+		}
+		return Ok();
+	}
+
+	#endregion
+
+	[HttpPost("send-text-email")]
+	public async Task<IActionResult> SendTextEmail([FromBody] SendEmailRequest sendEmailRequest)
+	{
+		await emailService.SendTextEmailAsync(sendEmailRequest.From, sendEmailRequest.To, sendEmailRequest.Subject, sendEmailRequest.Body);
+		return Ok();
+	}
+
+	[HttpPost("send-html-email")]
+	public async Task<IActionResult> SendHtmlEmail([FromBody] SendEmailRequest sendEmailRequest)
+	{
+		await emailService.SendHTMLEmailAsync(sendEmailRequest.From, sendEmailRequest.To, sendEmailRequest.Subject, sendEmailRequest.Body);
+		return Ok();
+	}
+
+	[NonAction]
+	private async Task<(Session Session, Account Account)> VerifyAccessAsync(params AccountFlags[] aclAny)
+	{
+		if (User.Identity is not EpicUserIdentity user)
+		{
+			throw new UnauthorizedAccessException("User not logged in");
+		}
+
+		Account? account = await accountService.GetAccountAsync(user.Session.AccountID);
+		if (account == null)
+		{
+			throw new UnauthorizedAccessException("User not found");
+		}
+
+		AccountFlags combinedAcl = aclAny.Aggregate((x, y) => x | y) | AccountFlags.Admin;
+
+		if (!account.Flags.HasFlagAny(combinedAcl))
+		{
+			throw new UnauthorizedAccessException("User has insufficient privileges");
+		}
+
+		return (user.Session, account);
+	}
+
+	[NonAction]
+	private static bool IsSpecialClientID(EpicID id)
+	{
+		if (id == ClientIdentification.Game.ID || id == ClientIdentification.ServerInstance.ID || id == ClientIdentification.Launcher.ID)
+		{
+			return true;
+		}
+
+		return false;
+	}
+
+	[NonAction]
+	private static bool IsAccessibleCloudStorageFile(AccountFlags flags, string filename)
+	{
+		if (flags.HasFlag(AccountFlags.Admin))
+		{
+			return true;
+		}
+		if (flags.HasFlag(AccountFlags.ACL_CloudStorageAnnouncements))
+		{
+			if (filename == "UnrealTournmentMCPAnnouncement.json" || filename.StartsWith("news-"))
+			{
+				return true;
+			}
+		}
+		if (flags.HasFlag(AccountFlags.ACL_CloudStorageRulesets))
+		{
+			var allowedFilenames = new[] { "UTMCPPlaylists.json", "UnrealTournamentOnlineSettings.json", "UnrealTournmentMCPGameRulesets.json" };
+			if (allowedFilenames.Contains(filename))
+			{
+				return true;
+			}
+		}
+		if (flags.HasFlag(AccountFlags.ACL_CloudStorageChallenges))
+		{
+			if (filename == "UnrealTournmentMCPStorage.json")
+			{
+				return true;
+			}
+		}
+
+		return false;
+	}
+}
diff --git a/UT4MasterServer/Controllers/Epic/AccountController.cs b/UT4MasterServer/Controllers/Epic/AccountController.cs
index 98093a11..1a71ca99 100644
--- a/UT4MasterServer/Controllers/Epic/AccountController.cs
+++ b/UT4MasterServer/Controllers/Epic/AccountController.cs
@@ -3,13 +3,15 @@
 using Microsoft.Extensions.Options;
 using Newtonsoft.Json.Linq;
 using UT4MasterServer.Authentication;
-using UT4MasterServer.Common.Helpers;
 using UT4MasterServer.Common;
+using UT4MasterServer.Common.Enums;
+using UT4MasterServer.Common.Helpers;
 using UT4MasterServer.Models;
 using UT4MasterServer.Models.Database;
 using UT4MasterServer.Models.DTO.Responses;
 using UT4MasterServer.Models.Settings;
 using UT4MasterServer.Services.Scoped;
+using UT4MasterServer.Services.Singleton;
 
 namespace UT4MasterServer.Controllers.Epic;
 
@@ -24,12 +26,22 @@ public sealed class AccountController : JsonAPIController
 {
 	private readonly SessionService sessionService;
 	private readonly AccountService accountService;
+	private readonly RateLimitService rateLimitService;
+	private readonly IOptions<ApplicationSettings>? applicationSettings;
 	private readonly IOptions<ReCaptchaSettings> reCaptchaSettings;
 
-	public AccountController(ILogger<AccountController> logger, AccountService accountService, SessionService sessionService, IOptions<ReCaptchaSettings> reCaptchaSettings) : base(logger)
+	public AccountController(
+		ILogger<AccountController> logger,
+		AccountService accountService,
+		SessionService sessionService,
+		RateLimitService rateLimitService,
+		IOptions<ApplicationSettings> applicationSettings,
+		IOptions<ReCaptchaSettings> reCaptchaSettings) : base(logger)
 	{
 		this.accountService = accountService;
 		this.sessionService = sessionService;
+		this.rateLimitService = rateLimitService;
+		this.applicationSettings = applicationSettings;
 		this.reCaptchaSettings = reCaptchaSettings;
 	}
 
@@ -219,39 +231,40 @@ public async Task<IActionResult> RegisterAccount([FromForm] string username, [Fr
 		Account? account = await accountService.GetAccountAsync(username);
 		if (account != null)
 		{
-			logger.LogInformation($"Could not register duplicate account: {username}");
+			logger.LogInformation("Could not register duplicate account: {Username}.", username);
 			return Conflict("Username already exists");
 		}
 
 		if (!ValidationHelper.ValidateUsername(username))
 		{
-			logger.LogInformation($"Entered an invalid username: {username}");
-			return Conflict("You have entered an invalid username");
+			logger.LogInformation("Entered an invalid username: {Username}.", username);
+			return BadRequest("You have entered an invalid username");
 		}
 
 		email = email.ToLower();
 		account = await accountService.GetAccountByEmailAsync(email);
 		if (account != null)
 		{
-			logger.LogInformation($"Could not register duplicate email: {email}");
+			logger.LogInformation("Entered an existing email: {Email}.", email);
 			return Conflict("Email already exists");
 		}
 
 		if (!ValidationHelper.ValidateEmail(email))
 		{
-			logger.LogInformation($"Entered an invalid email format: {email}");
-			return Conflict("You have entered an invalid email address");
+			logger.LogInformation("Entered an invalid email: {Email}.", email);
+			return BadRequest("You have entered an invalid email address");
 		}
 
 		if (!ValidationHelper.ValidatePassword(password))
 		{
-			logger.LogInformation("Entered password was in invalid format");
-			return Conflict("Unexpected password format");
+			logger.LogInformation("Entered an invalid password.");
+			return BadRequest("You have entered an invalid password");
 		}
 
 		await accountService.CreateAccountAsync(username, email, password); // TODO: this cannot fail?
 
-		logger.LogInformation($"Registered new user: {username}");
+
+		logger.LogInformation("Registered new user: {Username}.", username);
 
 		return Ok("Account created successfully");
 	}
@@ -320,9 +333,13 @@ public async Task<IActionResult> UpdateEmail([FromForm] string newEmail)
 		}
 
 		account.Email = newEmail;
+		account.Flags &= ~AccountFlags.EmailVerified;
+		account.VerificationLinkGUID = null;
+		account.VerificationLinkExpiration = null;
 		await accountService.UpdateAccountAsync(account);
+		await accountService.ResendVerificationLinkAsync(newEmail);
 
-		logger.LogInformation($"Updated email for {user.Session.AccountID} to: {newEmail}");
+		logger.LogInformation("Updated email for {AccountID} to: {Email}.", user.Session.AccountID, newEmail);
 
 		return Ok("Changed email successfully");
 	}
@@ -377,5 +394,57 @@ public async Task<IActionResult> UpdatePassword([FromForm] string currentPasswor
 		return Ok("Changed password successfully");
 	}
 
+	[AllowAnonymous]
+	[HttpPost("verify-email")]
+	public async Task<IActionResult> VerifyEmail([FromForm] string accountID, [FromForm] string guid)
+	{
+		EpicID eid = EpicID.FromString(accountID);
+		await accountService.VerifyEmailAsync(eid, guid);
+		return Ok();
+	}
+
+	[AllowAnonymous]
+	[HttpPost("resend-verification-link")]
+	public async Task<IActionResult> ResendVerificationLink([FromForm] string email)
+	{
+		var clientIpAddress = GetClientIP(applicationSettings);
+		if (clientIpAddress == null)
+		{
+			logger.LogError("Could not determine IP Address of remote machine.");
+			return StatusCode(StatusCodes.Status500InternalServerError);
+		}
+
+		rateLimitService.CheckRateLimit($"{nameof(ResendVerificationLink)}-{clientIpAddress}");
+
+		await accountService.ResendVerificationLinkAsync(email);
+		return Ok();
+	}
+
+	[AllowAnonymous]
+	[HttpPost("initiate-reset-password")]
+	public async Task<IActionResult> InitiateResetPassword([FromForm] string email)
+	{
+		var clientIpAddress = GetClientIP(applicationSettings);
+		if (clientIpAddress == null)
+		{
+			logger.LogError("Could not determine IP Address of remote machine.");
+			return StatusCode(StatusCodes.Status500InternalServerError);
+		}
+
+		rateLimitService.CheckRateLimit($"{nameof(InitiateResetPassword)}-{clientIpAddress}");
+
+		await accountService.InitiateResetPasswordAsync(email);
+		return Ok();
+	}
+
+	[AllowAnonymous]
+	[HttpPost("reset-password")]
+	public async Task<IActionResult> ResetPassword([FromForm] string accountID, [FromForm] string guid, [FromForm] string newPassword)
+	{
+		EpicID eid = EpicID.FromString(accountID);
+		await accountService.ResetPasswordAsync(eid, guid, newPassword);
+		return Ok();
+	}
+
 	#endregion
 }
diff --git a/UT4MasterServer/Controllers/ErrorsController.cs b/UT4MasterServer/Controllers/ErrorsController.cs
index 2c0810e0..1204e679 100644
--- a/UT4MasterServer/Controllers/ErrorsController.cs
+++ b/UT4MasterServer/Controllers/ErrorsController.cs
@@ -1,4 +1,4 @@
-using Microsoft.AspNetCore.Diagnostics;
+using Microsoft.AspNetCore.Diagnostics;
 using Microsoft.AspNetCore.Mvc;
 using UT4MasterServer.Common.Exceptions;
 using UT4MasterServer.Models.DTO.Responses;
@@ -9,6 +9,8 @@ namespace UT4MasterServer.Controllers;
 [Route("api/errors")]
 public sealed class ErrorsController : ControllerBase
 {
+	private const string NotFoundError = "Not found.";
+	private const string BadRequestError = "Bad request.";
 	private const string InternalServerError = "Internal server error occurred.";
 	private const string UnauthorizedError = "Attempt to access resource without required authorization.";
 
@@ -32,33 +34,75 @@ public IActionResult Index()
 			logger.LogError(InternalServerError);
 			return StatusCode(statusCode, message);
 		}
-		
+
 		switch (exception)
 		{
 			case InvalidEpicIDException invalidEpicIDException:
-			{
-				var err = new ErrorResponse()
 				{
-					ErrorCode = invalidEpicIDException.ErrorCode,
-					ErrorMessage = invalidEpicIDException.Message,
-					MessageVars = new string[] { invalidEpicIDException.ID },
-					NumericErrorCode = invalidEpicIDException.NumericErrorCode
-				};
+					var err = new ErrorResponse()
+					{
+						ErrorCode = invalidEpicIDException.ErrorCode,
+						ErrorMessage = invalidEpicIDException.Message,
+						MessageVars = new string[] { invalidEpicIDException.ID },
+						NumericErrorCode = invalidEpicIDException.NumericErrorCode
+					};
 
-				logger.LogError(exception, "Tried using {ID} as EpicID.", invalidEpicIDException.ID);
-				return StatusCode(400, err);
-			}
+					logger.LogError(exception, "Tried using {ID} as EpicID.", invalidEpicIDException.ID);
+					return StatusCode(400, err);
+				}
 
 			case UnauthorizedAccessException unauthorizedAccessException:
-			{
-				logger.LogWarning(exception, UnauthorizedError);
-				return StatusCode(401, new ErrorResponse()
 				{
-					ErrorCode = "com.epicgames.errors.unauthorized",
-					ErrorMessage = string.IsNullOrWhiteSpace(unauthorizedAccessException.Message) ? UnauthorizedError : unauthorizedAccessException.Message,
-					NumericErrorCode = 401
-				});
-			}
+					logger.LogWarning(exception, UnauthorizedError);
+					return StatusCode(401, new ErrorResponse()
+					{
+						ErrorCode = "com.epicgames.errors.unauthorized",
+						ErrorMessage = string.IsNullOrWhiteSpace(unauthorizedAccessException.Message) ? UnauthorizedError : unauthorizedAccessException.Message,
+						NumericErrorCode = 401
+					});
+				}
+
+			case EmailVerificationException emailVerificationException:
+				{
+					var err = new ErrorResponse()
+					{
+						ErrorCode = "ut4masterserver.errors.emailverification",
+						ErrorMessage = emailVerificationException.Message,
+						MessageVars = Array.Empty<string>(),
+						NumericErrorCode = 404
+					};
+
+					logger.LogError(emailVerificationException, "Email verification failed.");
+					return StatusCode(404, err);
+				}
+
+			case NotFoundException notFoundException:
+				{
+					var err = new ErrorResponse()
+					{
+						ErrorCode = "ut4masterserver.errors.notfound",
+						ErrorMessage = notFoundException.Message,
+						MessageVars = Array.Empty<string>(),
+						NumericErrorCode = 404
+					};
+
+					logger.LogWarning(notFoundException, NotFoundError);
+					return StatusCode(404, err);
+				}
+
+			case RateLimitExceededException rateLimitExceededException:
+				{
+					var err = new ErrorResponse()
+					{
+						ErrorCode = "ut4masterserver.errors.ratelimitexceeded",
+						ErrorMessage = rateLimitExceededException.Message,
+						MessageVars = Array.Empty<string>(),
+						NumericErrorCode = 400
+					};
+
+					logger.LogWarning(rateLimitExceededException, BadRequestError);
+					return StatusCode(400, err);
+				}
 		}
 
 		logger.LogError(exception, InternalServerError);
diff --git a/UT4MasterServer/Program.cs b/UT4MasterServer/Program.cs
index 4f8b9e69..8032c33f 100644
--- a/UT4MasterServer/Program.cs
+++ b/UT4MasterServer/Program.cs
@@ -6,6 +6,7 @@
 using Serilog;
 using UT4MasterServer.Authentication;
 using UT4MasterServer.Common;
+using UT4MasterServer.Common.Helpers;
 using UT4MasterServer.Configuration;
 using UT4MasterServer.Formatters;
 using UT4MasterServer.Models.Database;
@@ -14,6 +15,7 @@
 using UT4MasterServer.Serializers.Json;
 using UT4MasterServer.Services;
 using UT4MasterServer.Services.Hosted;
+using UT4MasterServer.Services.Interfaces;
 using UT4MasterServer.Services.Scoped;
 using UT4MasterServer.Services.Singleton;
 
@@ -63,11 +65,36 @@ public static void Main(string[] args)
 		// load settings objects
 		builder.Services
 			.Configure<ApplicationSettings>(builder.Configuration.GetSection("ApplicationSettings"))
+			.Configure<AWSSettings>(builder.Configuration.GetSection("AWS"))
 			.Configure<StatisticsSettings>(builder.Configuration.GetSection("StatisticsSettings"))
 			.Configure<ReCaptchaSettings>(builder.Configuration.GetSection("ReCaptchaSettings"));
 
 		builder.Services.Configure<ApplicationSettings>(x =>
 		{
+			if (builder.Environment.IsProduction())
+			{
+				if (string.IsNullOrWhiteSpace(x.WebsiteScheme))
+				{
+					Log.Logger.Error("Missing website scheme: {Value}.", x.WebsiteScheme);
+					return;
+				}
+				if (string.IsNullOrWhiteSpace(x.WebsiteDomain))
+				{
+					Log.Logger.Error("Missing website domain: {Value}.", x.WebsiteDomain);
+					return;
+				}
+				if (x.WebsitePort == -1)
+				{
+					Log.Logger.Error("Missing website port: {Value}.", x.WebsitePort);
+					return;
+				}
+				if (!ValidationHelper.ValidateEmail(x.NoReplyEmail))
+				{
+					Log.Logger.Error("Invalid or missing no-reply email: {Value}.", x.NoReplyEmail);
+					return;
+				}
+			}
+
 			// handle proxy list loading
 			if (string.IsNullOrWhiteSpace(x.ProxyServersFile))
 			{
@@ -104,6 +131,9 @@ public static void Main(string[] args)
 			}
 		});
 
+		// Microsoft services
+		builder.Services.AddMemoryCache();
+
 		// services whose instance is created per-request
 		builder.Services
 			.AddScoped<DatabaseContext>()
@@ -115,13 +145,16 @@ public static void Main(string[] args)
 			.AddScoped<TrustedGameServerService>()
 			.AddScoped<MatchmakingService>()
 			.AddScoped<StatisticsService>()
-			.AddScoped<RatingsService>();
+			.AddScoped<RatingsService>()
+			.AddScoped<IEmailService, AwsSesClient>()
+			.AddScoped<CleanupService>();
 
 		// services whose instance is created once and are persistent
 		builder.Services
 			.AddSingleton<RuntimeInfoService>()
 			.AddSingleton<CodeService>()
-			.AddSingleton<MatchmakingWaitTimeEstimateService>();
+			.AddSingleton<MatchmakingWaitTimeEstimateService>()
+			.AddSingleton<RateLimitService>();
 
 		// hosted services
 		builder.Services
diff --git a/UT4MasterServer/appsettings.Development.json b/UT4MasterServer/appsettings.Development.json
index 39e99c33..8c8e490c 100644
--- a/UT4MasterServer/appsettings.Development.json
+++ b/UT4MasterServer/appsettings.Development.json
@@ -1,4 +1,9 @@
 {
+	"ApplicationSettings": {
+		"WebsiteScheme": "http",
+		"WebsiteDomain": "localhost",
+		"WebsitePort": 8080
+	},
 	"Logging": {
 		"LogLevel": {
 			"Default": "Trace",
diff --git a/UT4MasterServer/appsettings.json b/UT4MasterServer/appsettings.json
index 9644b9fc..52f46ba1 100644
--- a/UT4MasterServer/appsettings.json
+++ b/UT4MasterServer/appsettings.json
@@ -2,9 +2,17 @@
 	"ApplicationSettings": {
 		"DatabaseConnectionString": "mongodb://devroot:devroot@mongo:27017",
 		"DatabaseName": "ut4master",
+		"WebsiteScheme": "https",
+		"WebsiteDomain": "ut4.timiimit.com",
 		"AllowPasswordGrantType": true,
 		"ProxyClientIPHeader": "X-Forwarded-For",
-		"ProxyServers": ["172.20.0.1"]
+		"ProxyServers": ["172.20.0.1"],
+		"NoReplyEmail": "noreply@ut4.timiimit.com"
+	},
+	"AWS": {
+		"AccessKey": "",
+		"SecretKey": "",
+		"RegionName": "eu-central-1"
 	},
 	"StatisticsSettings": {
 		"DeleteOldStatisticsTimeZone": "Central European Standard Time",