diff --git a/ChangeLog.md b/ChangeLog.md
--- a/ChangeLog.md
+++ b/ChangeLog.md
@@ -1,3 +1,7 @@
+## 1.4.13.3
+
+* Doc update (and a warning)
+
 ## 1.4.13.1
 
 * Add CSRF token to login form from `Yesod.Auth.Dummy` [#1205](https://github.com/yesodweb/yesod/pull/1205)
diff --git a/Yesod/Auth/Email.hs b/Yesod/Auth/Email.hs
--- a/Yesod/Auth/Email.hs
+++ b/Yesod/Auth/Email.hs
@@ -142,6 +142,12 @@
 
     -- | Verify the email address on the given account.
     --
+    -- __/Warning!/__ If you have persisted the @'AuthEmailId' site@
+    -- somewhere, this method should delete that key, or make it unusable
+    -- in some fashion. Otherwise, the same key can be used multiple times!
+    --
+    -- See <https://github.com/yesodweb/yesod/issues/1222>.
+    --
     -- Since 1.1.0
     verifyAccount :: AuthEmailId site -> HandlerT site IO (Maybe (AuthId site))
 
diff --git a/yesod-auth.cabal b/yesod-auth.cabal
--- a/yesod-auth.cabal
+++ b/yesod-auth.cabal
@@ -1,5 +1,5 @@
 name:            yesod-auth
-version:         1.4.13.2
+version:         1.4.13.3
 license:         MIT
 license-file:    LICENSE
 author:          Michael Snoyman, Patrick Brisbin
