diff --git a/pkg/api/users.go b/pkg/api/users.go
index 30f4892b..98f68b79 100644
--- a/pkg/api/users.go
+++ b/pkg/api/users.go
@@ -263,12 +263,22 @@ func (a *UsersApi) UserUpdateProfileHandler(c *core.Context) (any, *errs.Error)
 	}
 
 	if userUpdateReq.DefaultAccountId > 0 && userUpdateReq.DefaultAccountId != user.DefaultAccountId {
-		accounts, err := a.accounts.GetAccountsByAccountIds(c, uid, []int64{userUpdateReq.DefaultAccountId})
+		accountMap, err := a.accounts.GetAccountsByAccountIds(c, uid, []int64{userUpdateReq.DefaultAccountId})
 
-		if err != nil || len(accounts) < 1 {
+		if err != nil || len(accountMap) < 1 {
 			return nil, errs.Or(err, errs.ErrUserDefaultAccountIsInvalid)
 		}
 
+		if _, exists := accountMap[userUpdateReq.DefaultAccountId]; !exists {
+			log.WarnfWithRequestId(c, "[users.UserUpdateProfileHandler] account \"id:%d\" does not exist for user \"uid:%d\"", userUpdateReq.DefaultAccountId, uid)
+			return nil, errs.ErrUserDefaultAccountIsInvalid
+		}
+
+		if accountMap[userUpdateReq.DefaultAccountId].Hidden {
+			log.WarnfWithRequestId(c, "[users.UserUpdateProfileHandler] account \"id:%d\" is hidden of user \"uid:%d\"", userUpdateReq.DefaultAccountId, uid)
+			return nil, errs.ErrUserDefaultAccountIsHidden
+		}
+
 		user.DefaultAccountId = userUpdateReq.DefaultAccountId
 		userNew.DefaultAccountId = userUpdateReq.DefaultAccountId
 		anythingUpdate = true
diff --git a/pkg/errs/user.go b/pkg/errs/user.go
index 4ae509fe..5592682c 100644
--- a/pkg/errs/user.go
+++ b/pkg/errs/user.go
@@ -30,4 +30,5 @@ var (
 	ErrEmailIsVerified                                     = NewNormalError(NormalSubcategoryUser, 21, http.StatusBadRequest, "email is verified")
 	ErrEmailValidationNotAllowed                           = NewNormalError(NormalSubcategoryUser, 22, http.StatusBadRequest, "email validation not allowed")
 	ErrDecimalSeparatorAndDigitGroupingSymbolCannotBeEqual = NewNormalError(NormalSubcategoryUser, 23, http.StatusBadRequest, "decimal separator and digit grouping symbol cannot be equal")
+	ErrUserDefaultAccountIsHidden                          = NewNormalError(NormalSubcategoryUser, 24, http.StatusBadRequest, "user default account is hidden")
 )
diff --git a/src/locales/en.js b/src/locales/en.js
index bdc39f5f..103ae455 100644
--- a/src/locales/en.js
+++ b/src/locales/en.js
@@ -623,6 +623,7 @@ export default {
         'email is verified': 'Email is verified',
         'email validation not allowed': 'Email validation is not allowed',
         'decimal separator and digit grouping symbol cannot be equal': 'Decimal separator and digit grouping symbol cannot be equal',
+        'user default account is hidden': 'Cannot set hidden account as default account',
         'unauthorized access': 'Unauthorized access',
         'current token is invalid': 'Current token is invalid',
         'current token is expired': 'Current token is expired',
diff --git a/src/locales/zh_Hans.js b/src/locales/zh_Hans.js
index ad4b43f6..e2f60a22 100644
--- a/src/locales/zh_Hans.js
+++ b/src/locales/zh_Hans.js
@@ -623,6 +623,7 @@ export default {
         'email is verified': '邮箱已经验证过',
         'email validation not allowed': '不允许邮箱验证',
         'decimal separator and digit grouping symbol cannot be equal': '小数点和数字分组符号不能相同',
+        'user default account is hidden': '不能把隐藏账户设置为默认账户',
         'unauthorized access': '未授权的登录',
         'current token is invalid': '当前认证令牌无效',
         'current token is expired': '当前认证令牌已过期',