diff --git a/packages/accounts-base/accounts_server.js b/packages/accounts-base/accounts_server.js
index 57ea4eb6e0..d2aa2adb65 100644
--- a/packages/accounts-base/accounts_server.js
+++ b/packages/accounts-base/accounts_server.js
@@ -1076,14 +1076,16 @@ Ap._generateStampedLoginToken = function () {
 ///
 
 function expirePasswordToken(accounts, oldestValidDate, tokenFilter, userId) {
-  var userFilter = userId ? {_id: userId} : {};
-
-  accounts.users.update(_.extend(userFilter, tokenFilter, {
+  const userFilter = userId ? {_id: userId} : {};
+  const resetRangeOr = { 
     $or: [
       { "services.password.reset.when": { $lt: oldestValidDate } },
       { "services.password.reset.when": { $lt: +oldestValidDate } }
     ]
-  }), {
+  };
+  const expireFilter = { $and: [tokenFilter, resetRangeOr] };
+
+  accounts.users.update({...userFilter, ...expireFilter}, {
     $unset: {
       "services.password.reset": ""
     }
diff --git a/packages/accounts-password/password_tests.js b/packages/accounts-password/password_tests.js
index 3a3e564f21..b09274ed4e 100644
--- a/packages/accounts-password/password_tests.js
+++ b/packages/accounts-password/password_tests.js
@@ -1474,7 +1474,7 @@ if (Meteor.isServer) (function () {
   );
 
   Tinytest.add(
-    'passwords - reset password doesn\t work if email changed after email sent',
+    "passwords - reset password doesn't work if email changed after email sent",
     function (test) {
       var username = Random.id();
       var email = username + '-intercept@example.com';
@@ -1688,15 +1688,45 @@ if (Meteor.isServer) (function () {
     function (test) {
       var email = test.id + '-intercept@example.com';
       var userId = Accounts.createUser({email: email, password: 'password'});
+      
       Accounts.sendEnrollmentEmail(userId, email);
       test.isTrue(!!Meteor.users.findOne(userId).services.password.reset);
 
       Accounts._expirePasswordEnrollTokens(new Date(), userId);
-
       test.isUndefined(Meteor.users.findOne(userId).services.password.reset);
     }
   )
 
+  Tinytest.add(
+    "passwords - enroll tokens don't get cleaned up when reset tokens are cleaned up",
+    function (test) {
+      var email = test.id + '-intercept@example.com';
+      var userId = Accounts.createUser({email: email, password: 'password'});
+      
+      Accounts.sendEnrollmentEmail(userId, email);
+      var enrollToken = Meteor.users.findOne(userId).services.password.reset;
+      test.isTrue(enrollToken);
+
+      Accounts._expirePasswordResetTokens(new Date(), userId);
+      test.equal(enrollToken, Meteor.users.findOne(userId).services.password.reset);
+    }
+  )
+
+  Tinytest.add(
+    "passwords - reset tokens don't get cleaned up when enroll tokens are cleaned up",
+    function (test) {
+      var email = test.id + '-intercept@example.com';
+      var userId = Accounts.createUser({email: email, password: 'password'});
+
+      Accounts.sendResetPasswordEmail(userId, email);
+      var resetToken = Meteor.users.findOne(userId).services.password.reset;
+      test.isTrue(resetToken);
+
+      Accounts._expirePasswordEnrollTokens(new Date(), userId);
+      test.equal(resetToken,Meteor.users.findOne(userId).services.password.reset);
+    }
+  )
+
   // We should be able to change the username
   Tinytest.add("passwords - change username", function (test) {
     var username = Random.id();