UK Companies House confirmed a security flaw in its WebFiling service exposed business data for five million registered companies from October 2025 until March 2026. The vulnerability allowed any logged-in user to access another company's dashboard and view private information including directors' home addresses, email addresses, and dates of birth. Dan Neidle, founder of Tax Policy Associates, reported the vulnerability on Friday after John Hewitt from Ghost Mail discovered the flaw but received no reply from Companies House. Neidle explained the exploit worked by logging into your own company dashboard, selecting "file for another company," entering any company number from the five million registered with Companies House, then pressing the back button multiple times when asked for an authentication code. Instead of returning to your own dashboard, you accessed the target company's dashboard.
Companies House shut down WebFiling on Friday and brought it back online Monday after fixing the vulnerability. The agency confirmed the flaw was introduced during a WebFiling system update in October 2025. The vulnerability existed for five months before being reported and fixed. Companies House stated the flaw could only be exploited by logged-in users and would have allowed them to "change some elements of another company's details without their consent." The agency downplayed the severity by claiming the security issue could only be exploited to steal data and access company records "one entry at a time" as if this provides any meaningful protection.
A single compromised entry is a complete failure. One stolen director's home address is enough for stalking, harassment, or targeted attacks. One fraudulent filing changing company ownership is enough to destroy a business. One unauthorized director removal is enough to lock legitimate owners out of their own company. The "one at a time" framing is deliberate misdirection. Attackers don't need to compromise all five million companies. They need to compromise their target. A corporate espionage operation targeting one competitor. A stalker targeting one director who applied for address protection. A fraudster targeting one shell company to manipulate ownership records. Each of these attacks succeeds completely despite being "one entry at a time."
The vulnerability existed for five months. An attacker could access thousands of companies one at a time during that period. Automated scripts could cycle through company numbers overnight accessing hundreds or thousands of records. The "one at a time" limitation only means the attack takes slightly longer, not that it's impractical. The investigation established that "specific data from individual companies not normally published on the Companies House register may have been visible to other logged-in WebFiling users. This includes dates of birth, residential addresses and company email addresses. It may also have been possible for unauthorised filings such as accounts or changes of director to have been made on another company's record." No user passwords were compromised. Data used during identity verification, such as passport information, was not accessed. No existing filed documents such as accounts or confirmation statements could have been altered.
Companies House reported the incident to the UK Information Commissioner's Office and the National Cyber Security Centre. The agency stated "We have no reports at this stage of data having been accessed or changed without permission. However, our investigation is ongoing." Companies House has no evidence the vulnerability was exploited because they don't know what to look for and have no logging infrastructure to detect unauthorized access that occurred by pressing the back button in a web browser. The flaw exposed residential addresses of company directors for five months. This information is not normally published on the public register. Directors who applied to keep their home addresses private for safety reasons had that protection bypassed by pressing back in a web browser. Companies House operates the registry for all UK companies and is responsible for maintaining the security of this data.
A government agency updated its filing system in October 2025 and introduced a vulnerability that allowed anyone to access private company data by pressing the back button. The flaw remained undetected for five months until a private researcher reported it. The agency had no monitoring in place to detect this type of unauthorized access. They have no evidence of exploitation because they have no logs showing who accessed what data. Companies House serves as the authoritative registry for corporate information in the United Kingdom. Five million companies trust this agency to securely maintain their registration data including private residential addresses of directors. The agency deployed a system update that broke authentication and session management so badly that pressing back in a browser bypassed all access controls. This remained undetected and unfixed for five months.
The vulnerability allowed unauthorized filing changes including adding or removing directors and submitting accounts on behalf of other companies. An attacker could have changed company ownership, filed fraudulent accounts, or removed legitimate directors from the register. Companies House claims no such changes occurred but admits their investigation is ongoing and they have no reports because they don't have the logging infrastructure to know what happened. Government agencies operate critical infrastructure for corporate registration with basic web application security failures that remain undetected for months. The UK corporate registry deployed broken authentication that anyone could bypass by pressing back in Firefox. Private researchers discovered and reported the flaw. The agency fixed it and claims no harm occurred while admitting they have no way to know if harm occurred.
Blackout VPN exists because privacy is a right. Your first name is too much information for us.
Keep learning
FAQ
How did the Companies House vulnerability work?
Log into your own company dashboard, select "file for another company," enter any company number, then press back multiple times when asked for authentication. You accessed the target company's dashboard instead of your own.
How long was the vulnerability active?
Companies House introduced the flaw during a WebFiling system update in October 2025. The vulnerability existed for five months until private researchers reported it in March 2026 after receiving no response from the agency.
What data was exposed?
Directors' residential addresses, email addresses, and dates of birth. This includes addresses directors applied to keep private for safety reasons. The vulnerability also allowed unauthorized filing changes including adding or removing directors and submitting accounts.
How did Companies House respond?
Companies House downplayed the breach by claiming it only worked "one entry at a time" as if this provides protection. The agency has no evidence of exploitation because they have no logging infrastructure to detect unauthorized access.
Can Companies House detect if the vulnerability was exploited?
No. Companies House has no logging infrastructure to detect unauthorized access that occurred by pressing back in a web browser. They claim no data was accessed or changed but admit they have no way to know what happened.