diff --git a/modules/users/server/controllers/users/users.profile.server.controller.js b/modules/users/server/controllers/users/users.profile.server.controller.js
index 8dbd740a9e..9d2967e270 100644
--- a/modules/users/server/controllers/users/users.profile.server.controller.js
+++ b/modules/users/server/controllers/users/users.profile.server.controller.js
@@ -22,6 +22,9 @@ exports.update = function (req, res) {
   // For security measurement we remove the roles from the req.body object
   delete req.body.roles;
 
+  // For security measurement do not use _id from the req.body object
+  delete req.body._id;
+
   if (user) {
     // Merge existing user
     user = _.extend(user, req.body);