diff --git a/src/api/client/session.rs b/src/api/client/session.rs
index 8cd61410..d295a5b3 100644
--- a/src/api/client/session.rs
+++ b/src/api/client/session.rs
@@ -13,6 +13,7 @@ use futures::StreamExt;
 use ruma::{
 	OwnedUserId, UserId,
 	api::client::{
+		error::ErrorKind,
 		session::{
 			get_login_token,
 			get_login_types::{
@@ -185,6 +186,10 @@ pub(crate) async fn handle_login(
 		return Err!(Request(Unknown("User ID does not belong to this homeserver")));
 	}
 
+	if services.users.is_locked(&user_id)? {
+		return Err(Error::BadRequest(ErrorKind::UserLocked, "This account has been locked."));
+	}
+
 	if services.users.is_login_disabled(&user_id).await {
 		warn!(%user_id, "user attempted to log in with a login-disabled account");
 		return Err!(Request(Forbidden("This account is not permitted to log in.")));