diff --git a/app/controllers/admin/stripe_accounts_controller.rb b/app/controllers/admin/stripe_accounts_controller.rb
index bdc7758cbb..a8b28b49cd 100644
--- a/app/controllers/admin/stripe_accounts_controller.rb
+++ b/app/controllers/admin/stripe_accounts_controller.rb
@@ -17,10 +17,11 @@ module Admin
     end
 
     def destroy_from_webhook
+      # Fetch the event again direct from stripe for extra security
       event = fetch_event_from_stripe(request)
-      if event["type"] == "account.application.deauthorized"
-        StripeAccount.where(stripe_user_id: event["data"]["id"]).map{ |account| account.destroy }
-        render json: nil, status: 200
+      if event.type == "account.application.deauthorized"
+        StripeAccount.where(stripe_user_id: event.user_id).map{ |account| account.destroy }
+        render text: "Account #{event.user_id} deauthorized", status: 200
       else
         render json: nil, status: 501
       end
diff --git a/app/helpers/admin/stripe_helper.rb b/app/helpers/admin/stripe_helper.rb
index 9067d004af..9e930857dd 100644
--- a/app/helpers/admin/stripe_helper.rb
+++ b/app/helpers/admin/stripe_helper.rb
@@ -51,7 +51,8 @@ module Admin
 
     def fetch_event_from_stripe(request)
       event_json = JSON.parse(request.body.read)
-      JSON.parse(Stripe::Event.retrieve(event_json["id"]))
+      acct_param = event_json["user_id"] ? {"Stripe-Account" => event_json["user_id"]} : nil
+      Stripe::Event.retrieve(event_json["id"],acct_param)
     end
 
     def deauthorize_request_for_stripe_id(id)
diff --git a/spec/controllers/admin/stripe_account_controller_spec.rb b/spec/controllers/admin/stripe_account_controller_spec.rb
index 08ab508019..f4c4682f69 100644
--- a/spec/controllers/admin/stripe_account_controller_spec.rb
+++ b/spec/controllers/admin/stripe_account_controller_spec.rb
@@ -5,19 +5,35 @@ describe Admin::StripeAccountsController, type: :controller do
   it "deletes Stripe accounts in response to a webhook" do
     # https://stripe.com/docs/api#retrieve_event
     allow(controller).to receive(:fetch_event_from_stripe)
-      .and_return({
-      "id" => "evt_18zt9YFBE7f7kItLg9f343bn",
-      "object" => "event",
-      "created" => 1475350088,
-      "data" => {
-          "id" => "webhook_id",
-          "name" => "OFN",
-          "object" => "application"
-      },
-      "type" => "account.application.deauthorized"
-    })
+      .and_return(Stripe::Event.construct_from({"id"=>"evt_wrfwg4323fw",
+                   "object"=>"event",
+                   "api_version"=>nil,
+                   "created"=>1484870684,
+                   "data"=>
+                    {"object"=>
+                      {"id"=>"application_id",
+                       "object"=>"application",
+                       "name"=>"Open Food Network UK"}},
+                   "livemode"=>false,
+                   "pending_webhooks"=>1,
+                   "request"=>nil,
+                   "type"=>"account.application.deauthorized",
+                   "user_id"=>"webhook_id"}))
     account = create(:stripe_account, stripe_user_id: "webhook_id")
-    post 'destroy_from_webhook'
+    post 'destroy_from_webhook', {"id"=>"evt_wrfwg4323fw",
+                                   "object"=>"event",
+                                   "api_version"=>nil,
+                                   "created"=>1484870684,
+                                   "data"=>
+                                    {"object"=>
+                                      {"id"=>"ca_9ByaSyyyXj5O73DWisU0KLluf0870Vro",
+                                       "object"=>"application",
+                                       "name"=>"Open Food Network UK"}},
+                                   "livemode"=>false,
+                                   "pending_webhooks"=>1,
+                                   "request"=>nil,
+                                   "type"=>"account.application.deauthorized",
+                                   "user_id"=>"webhook_id"}
     expect(StripeAccount.all).not_to include account
 
   end