UK Companies House Exposed Details of Millions of Firms
A critical authentication bypass vulnerability in the UK Companies House WebFiling service exposed sensitive details of approximately 5 million registered firms, including directors' dates of birth, home addresses, and email addresses. The flaw, introduced in October 2025 and patched over a weekend in March 2026, allowed authenticated users to access other companies' accounts and modify filing records by simply pressing the back button during the authentication process. While Companies House reports no confirmed exploitation, the vulnerability highlights serious access control failures in a critical government registry.
Summary
A critical authentication bypass vulnerability in the UK Companies House WebFiling service exposed sensitive details of approximately 5 million registered firms, including directors' dates of birth, home addresses, and email addresses. The flaw, introduced in October 2025 and patched over a weekend in March 2026, allowed authenticated users to access other companies' accounts and modify filing records by simply pressing the back button during the authentication process. While Companies House reports no confirmed exploitation, the vulnerability highlights serious access control failures in a critical government registry.
Full text
A critical vulnerability has been found in a web application of Companies House, the government agency responsible for maintaining the public register of companies in the United Kingdom. According to Tax Policy Associates, the security hole was discovered by John Hewitt of Ghost Mail on March 12, but it existed for several months before a patch was rolled out. Hewitt found that any logged-in user could access other companies’ accounts on the Companies House platform. The attacker could have gained access to the non-public information of five million registered firms, including directors’ dates of birth, home addresses and email addresses. In addition, an attacker could have changed a company’s details and could have submitted unauthorized filings. While the vulnerability could only be exploited by an authenticated attacker, conducting an attack would have been easy and required no technical skills. An attacker only needed to select the ‘file for another company’ option, enter the unique number associated with the targeted company and, when prompted for an authentication code, press the back button a few times. The attacker would then automatically be logged in to the targeted company’s account. Advertisement. Scroll to continue reading. In a statement issued on Monday, Companies House confirmed the security hole, saying it affected its WebFiling service. The flaw was introduced in October 2025 and it was addressed over the weekend after the service was shut down on Friday. “This was not accessible to the general public. Only users with an authorised code and logged in to the service could have performed this action,” the organization said. Companies House clarified that the vulnerability did not expose passwords and information collected during the identity verification process (such as passports). In addition, an attacker could not have made changes to existing filed documents. “We believe that this issue could not have been used to extract data in large volumes or to access records systematically. Any access would have been limited to individual company records, viewed one at a time by a registered WebFiling user,” the agency clarified. Companies House also noted that while it’s not aware of any instances of data being accessed or changed through the exploitation of this vulnerability, companies should verify their details and filing history and report any concerns. Related: UK Government Unveils New Cyber Action Plan Related: UK Government Acknowledges It Is Investigating Cyber Incident After Media Reports Related: Reddit Hit With $20 Million UK Data Privacy Fine Over Child Safety Failings Written By Eduard Kovacs Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. More from Eduard Kovacs Oracle EBS Hack: Only 4 Corporate Giants Still Silent on Potential ImpactHacking Attempt Reported at Poland’s Nuclear Research CenterLoblaw Data Breach Impacts Customer InformationStarbucks Data Breach Impacts EmployeesIran-Linked Hacker Attack on Stryker Disrupted Manufacturing and ShippingAuthorities Disrupt SocksEscort Proxy Service Powered by AVrecon BotnetApple Updates Legacy iOS Versions to Patch Coruna ExploitsMeta Launches New Protection Tools as It Helps Disrupt Scam Centers Latest News Tech Giants Invest $12.5 Million in Open Source SecuritySurf AI Raises $57 Million for Agentic Security Operations PlatformRobotic Surgery Giant Intuitive Discloses Cyberattack174 Vulnerabilities Targeted by RondoDox BotnetGoogle, Meta, Microsoft Among Signatories of Pact to Combat ScamsTracebit Raises $20M for Cloud-Native Deception TechnologyCISA Flags Year-Old Wing FTP Vulnerability as ExploitedAI, APIs and DDoS Collide in New Era of Coordinated Cyberattacks Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Virtual Event: Supply Chain Security and Third-Party Risk Summit March 18, 2026 Join the event where top security experts unpack the biggest software supply chain risks. Register People on the MoveNudge Security has appointed Patrick Dillon as Chief Revenue Officer.Arctic Wolf has named Will May as its Chief Revenue Officer.Palo Alto Networks has named Danielle Gonzalez as its new Chief People Officer.More People On The MoveExpert Insights The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose a Critical Flaw in Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Four Risks Boards Cannot Treat as Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) How to Eliminate the Technical Debt of Insecure AI-Assisted Software Development Developers must view AI as a collaborator to be closely monitored, rather than an autonomous entity to be unleashed. Without such a mindset, crippling tech debt is inevitable. (Matias Madou) Flipboard Reddit Whatsapp Whatsapp Email