diff --git a/src/Authentication/Passwords/NothingPersonalValidator.php b/src/Authentication/Passwords/NothingPersonalValidator.php
index 6a4102e6b..2d3c66fd9 100644
--- a/src/Authentication/Passwords/NothingPersonalValidator.php
+++ b/src/Authentication/Passwords/NothingPersonalValidator.php
@@ -72,10 +72,16 @@ protected function isNotPersonal(string $password, ?User $user): bool
             $needles = $this->strip_explode($userName);
 
             // extract local-part and domain parts from email as separate needles
-            [
-                $localPart,
-                $domain,
-            ] = explode('@', $email);
+            if (str_contains($email, '@')) {
+                [
+                    $localPart,
+                    $domain,
+                ] = explode('@', $email);
+            } else {
+                $localPart = $email;
+                $domain    = null;
+            }
+
             // might be john.doe@example.com and we want all the needles we can get
             $emailParts = $this->strip_explode($localPart);
             if (! empty($domain)) {