diff --git a/kfet/tests/test_statistic.py b/kfet/tests/test_statistic.py
index f0ed7f74..eda386b7 100644
--- a/kfet/tests/test_statistic.py
+++ b/kfet/tests/test_statistic.py
@@ -36,8 +36,7 @@ class TestStats(TestCase):
         client2 = Client()
         client2.login(username="Barfoo", password="barfoo")
 
-        # 1. FOO should be able to get these pages but BAR receives a Forbidden
-        # response
+        # 1. FOO should be able to get these pages but BAR receives a 404
         user_urls = [
             "/k-fet/accounts/FOO/stat/operations/list",
             "/k-fet/accounts/FOO/stat/operations?{}".format(
@@ -57,7 +56,7 @@ class TestStats(TestCase):
             resp = client.get(url)
             self.assertEqual(200, resp.status_code)
             resp2 = client2.get(url)
-            self.assertEqual(403, resp2.status_code)
+            self.assertEqual(404, resp2.status_code)
 
         # 2. FOO is a member of the team and can get these pages but BAR
         # receives a Redirect response
diff --git a/kfet/tests/test_views.py b/kfet/tests/test_views.py
index cb6c9a0c..41e579bf 100644
--- a/kfet/tests/test_views.py
+++ b/kfet/tests/test_views.py
@@ -209,6 +209,25 @@ class AccountReadViewTests(ViewTestCaseMixin, TestCase):
     auth_user = "team"
     auth_forbidden = [None, "user"]
 
+    # Forbidden users should get a 404 here, to avoid leaking trigrams
+    # See issue #224
+    def test_forbidden(self):
+        for user in self.auth_forbidden:
+            self.check_forbidden(user, self.url_expected)
+            self.check_forbidden(user, "/k-fet/accounts/NEX")
+
+    def check_forbidden(self, user, url):
+        client = Client()
+        if user is None:
+            response = client.get(url)
+            self.assertRedirects(
+                response, "/login?next={}".format(url), fetch_redirect_response=False
+            )
+        else:
+            client.login(username=user, password=user)
+            response = client.get(url)
+            self.assertEqual(response.status_code, 404)
+
     def get_users_extra(self):
         return {"user1": create_user("user1", "001")}
 
@@ -296,6 +315,27 @@ class AccountUpdateViewTests(ViewTestCaseMixin, TestCase):
             "team1": create_team("team1", "101", perms=["kfet.change_account"]),
         }
 
+    # Forbidden users should get a 404 here, to avoid leaking trigrams
+    # See issue #224
+    def test_forbidden(self):
+        for method in ["get", "post"]:
+            for user in self.auth_forbidden:
+                self.check_forbidden(user, method, self.url_expected)
+                self.check_forbidden(user, method, "/k-fet/accounts/NEX/edit")
+
+    def check_forbidden(self, user, method, url):
+        client = Client()
+        meth = getattr(client, method)
+        if user is None:
+            response = meth(url)
+            self.assertRedirects(
+                response, "/login?next={}".format(url), fetch_redirect_response=False
+            )
+        else:
+            client.login(username=user, password=user)
+            response = meth(url)
+            self.assertEqual(response.status_code, 404)
+
     def test_get_ok(self):
         r = self.client.get(self.url)
         self.assertEqual(r.status_code, 200)
@@ -375,7 +415,7 @@ class AccountDeleteViewTests(ViewTestCaseMixin, TestCase):
             if Account.objects.get(trigramme=trigramme).readable:
                 expected_code = 200
             else:
-                expected_code = 403
+                expected_code = 404
             r = self.client.post(
                 reverse(self.url_name, kwargs={"trigramme": trigramme}), {}
             )
@@ -555,6 +595,25 @@ class AccountStatOperationListViewTests(ViewTestCaseMixin, TestCase):
     def get_users_extra(self):
         return {"user1": create_user("user1", "001")}
 
+    # Forbidden users should get a 404 here, to avoid leaking trigrams
+    # See issue #224
+    def test_forbidden(self):
+        for user in self.auth_forbidden:
+            self.check_forbidden(user, self.url_expected)
+            self.check_forbidden(user, "/k-fet/accounts/NEX/stat/operations/list")
+
+    def check_forbidden(self, user, url):
+        client = Client()
+        if user is None:
+            response = client.get(url)
+            self.assertRedirects(
+                response, "/login?next={}".format(url), fetch_redirect_response=False
+            )
+        else:
+            client.login(username=user, password=user)
+            response = client.get(url)
+            self.assertEqual(response.status_code, 404)
+
     def test_ok(self):
         r = self.client.get(self.url)
         self.assertEqual(r.status_code, 200)
@@ -616,6 +675,25 @@ class AccountStatOperationViewTests(ViewTestCaseMixin, TestCase):
     auth_user = "user1"
     auth_forbidden = [None, "user", "team"]
 
+    # Forbidden users should get a 404 here, to avoid leaking trigrams
+    # See issue #224
+    def test_forbidden(self):
+        for user in self.auth_forbidden:
+            self.check_forbidden(user, self.url_expected)
+            self.check_forbidden(user, "/k-fet/accounts/NEX/stat/operations")
+
+    def check_forbidden(self, user, url):
+        client = Client()
+        if user is None:
+            response = client.get(url)
+            self.assertRedirects(
+                response, "/login?next={}".format(url), fetch_redirect_response=False
+            )
+        else:
+            client.login(username=user, password=user)
+            response = client.get(url)
+            self.assertEqual(response.status_code, 404)
+
     def get_users_extra(self):
         return {"user1": create_user("user1", "001")}
 
@@ -632,6 +710,25 @@ class AccountStatBalanceListViewTests(ViewTestCaseMixin, TestCase):
     auth_user = "user1"
     auth_forbidden = [None, "user", "team"]
 
+    # Forbidden users should get a 404 here, to avoid leaking trigrams
+    # See issue #224
+    def test_forbidden(self):
+        for user in self.auth_forbidden:
+            self.check_forbidden(user, self.url_expected)
+            self.check_forbidden(user, "/k-fet/accounts/NEX/stat/balance/list")
+
+    def check_forbidden(self, user, url):
+        client = Client()
+        if user is None:
+            response = client.get(url)
+            self.assertRedirects(
+                response, "/login?next={}".format(url), fetch_redirect_response=False
+            )
+        else:
+            client.login(username=user, password=user)
+            response = client.get(url)
+            self.assertEqual(response.status_code, 404)
+
     def get_users_extra(self):
         return {"user1": create_user("user1", "001")}
 
@@ -677,6 +774,25 @@ class AccountStatBalanceViewTests(ViewTestCaseMixin, TestCase):
     auth_user = "user1"
     auth_forbidden = [None, "user", "team"]
 
+    # Forbidden users should get a 404 here, to avoid leaking trigrams
+    # See issue #224
+    def test_forbidden(self):
+        for user in self.auth_forbidden:
+            self.check_forbidden(user, self.url_expected)
+            self.check_forbidden(user, "/k-fet/accounts/NEX/stat/balance")
+
+    def check_forbidden(self, user, url):
+        client = Client()
+        if user is None:
+            response = client.get(url)
+            self.assertRedirects(
+                response, "/login?next={}".format(url), fetch_redirect_response=False
+            )
+        else:
+            client.login(username=user, password=user)
+            response = client.get(url)
+            self.assertEqual(response.status_code, 404)
+
     def get_users_extra(self):
         return {"user1": create_user("user1", "001")}