diff --git a/kfet/views.py b/kfet/views.py
index b0c90083..58413d80 100644
--- a/kfet/views.py
+++ b/kfet/views.py
@@ -2260,6 +2260,12 @@ class AccountStatBalance(PkUrlMixin, JSONDetailView):
         # TODO: offset
         return context
 
+    def get_object(self, *args, **kwargs):
+        obj = super().get_object(*args, **kwargs)
+        if self.request.user != obj.user:
+            raise PermissionDenied
+        return obj
+
     @method_decorator(login_required)
     def dispatch(self, *args, **kwargs):
         return super(AccountStatBalance, self).dispatch(*args, **kwargs)