diff --git a/hc/accounts/tests/test_switch_team.py b/hc/accounts/tests/test_switch_team.py
index 95bf7f96..4b0da64b 100644
--- a/hc/accounts/tests/test_switch_team.py
+++ b/hc/accounts/tests/test_switch_team.py
@@ -28,3 +28,17 @@ class SwitchTeamTestCase(BaseTestCase):
         url = "/accounts/switch_team/%s/" % self.alice.username
         r = self.client.get(url, follow=True)
         self.assertEqual(r.status_code, 200)
+
+    def test_it_handles_invalid_username(self):
+        self.client.login(username="bob@example.org", password="password")
+
+        url = "/accounts/switch_team/dave/"
+        r = self.client.get(url)
+        self.assertEqual(r.status_code, 403)
+
+    def test_it_requires_login(self):
+        url = "/accounts/switch_team/%s/" % self.alice.username
+        r = self.client.get(url)
+
+        expected_url = "/accounts/login/?next=/accounts/switch_team/alice/"
+        self.assertRedirects(r, expected_url)
diff --git a/hc/accounts/views.py b/hc/accounts/views.py
index cfcdef8e..befeb44c 100644
--- a/hc/accounts/views.py
+++ b/hc/accounts/views.py
@@ -266,8 +266,12 @@ def unsubscribe_reports(request, username):
     return render(request, "accounts/unsubscribed.html")
 
 
+@login_required
 def switch_team(request, target_username):
-    other_user = User.objects.get(username=target_username)
+    try:
+        other_user = User.objects.get(username=target_username)
+    except User.DoesNotExist:
+        return HttpResponseForbidden()
 
     # The rules:
     # Superuser can switch to any team.