diff --git a/flexiapi/app/Account.php b/flexiapi/app/Account.php
index 03424c2..907714c 100644
--- a/flexiapi/app/Account.php
+++ b/flexiapi/app/Account.php
@@ -339,6 +339,12 @@ class Account extends Authenticatable
             ->exists();
     }
 
+    public function failedRecentRecovery(): bool
+    {
+        $oneHourAgo = Carbon::now()->subHour();
+        return !empty($this->recovery_code) && $this->updated_at->greaterThan($oneHourAgo);
+    }
+
     public function updatePassword($newPassword, string $algorithm = 'SHA-256')
     {
         $this->passwords()->delete();
diff --git a/flexiapi/app/Http/Controllers/Account/RecoveryController.php b/flexiapi/app/Http/Controllers/Account/RecoveryController.php
index e2594ca..7e59235 100644
--- a/flexiapi/app/Http/Controllers/Account/RecoveryController.php
+++ b/flexiapi/app/Http/Controllers/Account/RecoveryController.php
@@ -81,6 +81,10 @@ class RecoveryController extends Controller
             return redirect()->back()->withErrors(['identifier' => 'The account doesn\'t exists']);
         }
 
+        if ($account->failedRecentRecovery()) {
+            return redirect()->back()->withErrors(['code' => 'Account recovered recently, try again later']);
+        }
+
         if ($request->get('email')) {
             $account = (new AccountService)->recoverByEmail($account);
         } elseif ($request->get('phone')) {
@@ -112,7 +116,7 @@ class RecoveryController extends Controller
             return redirect()->route($request->get('method') == 'phone'
                 ? 'account.recovery.show.phone'
                 : 'account.recovery.show.email')->withErrors([
-                'code' => 'The code entered was not valid'
+                'code' => 'The code entered was not valid, try again later'
             ]);
         }