diff --git a/irc/getters.go b/irc/getters.go
index 570e5a423..85f982209 100644
--- a/irc/getters.go
+++ b/irc/getters.go
@@ -307,6 +307,13 @@ func (client *Client) setAccountName(name string) {
 	client.accountName = name
 }
 
+func (client *Client) setCloakedHostname(cloak string) {
+	client.stateMutex.Lock()
+	defer client.stateMutex.Unlock()
+	client.cloakedHostname = cloak
+	client.updateNickMaskNoMutex()
+}
+
 func (client *Client) historyCutoff() (cutoff time.Time) {
 	client.stateMutex.Lock()
 	if client.account != "" {
diff --git a/irc/handlers.go b/irc/handlers.go
index f461d26f3..3aec6edca 100644
--- a/irc/handlers.go
+++ b/irc/handlers.go
@@ -116,6 +116,20 @@ func sendSuccessfulAccountAuth(service *ircService, client *Client, rb *Response
 		client.server.sendLoginSnomask(details.nickMask, details.accountName)
 	}
 
+	// #1479: for Tor clients, replace the hostname with the always-on cloak here
+	// (for normal clients, this would discard the IP-based cloak, but with Tor
+	// there's no such concern)
+	if rb.session.isTor {
+		config := client.server.Config()
+		if config.Server.Cloaks.EnabledForAlwaysOn {
+			cloakedHostname := config.Server.Cloaks.ComputeAccountCloak(details.accountName)
+			client.setCloakedHostname(cloakedHostname)
+			if client.registered {
+				client.sendChghost(details.nickMask, client.Hostname())
+			}
+		}
+	}
+
 	client.server.logger.Info("accounts", "client", details.nick, "logged into account", details.accountName)
 }