Companies House, a British government agency that operates the registry for all U.K. companies, says its WebFiling service is back online after it was closed on Friday to fix a security flaw that exposed companies’ information since October 2025.
Dan Neidle, founder of the non-profit Tax Policy Associates, reported the vulnerability to the U.K. corporate register on Friday after Ghost Mail’s John Hewitt (who discovered the flaw) didn’t receive a reply.
“All that was required was to log in to Companies House using your own details and access your own company’s dashboard. Then opt to “file for another company” and enter the company number for any one of the five million companies registered with Companies House,” said Neidle.
“At that point you’d be asked for an authentication code, which of course you don’t have. No problem. Press the ‘back’ key a few times to return to your dashboard. Except – it isn’t your dashboard. It’s the other company’s dashboard.”
Neidle added that the flaw exposed the data of five million registered companies for five months, including their management’s home and email addresses.
Companies House confirmed the vulnerability on Monday after bringing the filing service back online and said that the issue was introduced when the agency updated its WebFiling systems in October 2025.
The agency said the flaw could’ve been abused only by logged-in users and would’ve allowed them to “change some elements of another company’s details without their consent.” However, it also added that the security issue could only be exploited to steal data and access company records one entry at a time.
“Our investigation has established that specific data from individual companies not normally published on the Companies House register may have been visible to other logged-in WebFiling users,” Companies House noted.
“This includes dates of birth, residential addresses and company email addresses. It may also have been possible for unauthorised filings — such as accounts or changes of director — to have been made on another company’s record.”
As the agency added, no user passwords were compromised, and data used during the identity verification process, such as passport information, was not accessed while the service was vulnerable. Additionally, “no existing filed documents, such as accounts or confirmation statements could have been altered.”
The agency has since reported the incident to the U.K. Information Commissioner’s Office (ICO) and the National Cyber Security Centre (NCSC), and is investigating if this vulnerability has been exploited to access or alter any company’s details.
“We have no reports at this stage of data having been accessed or changed without permission,” Companies House said in today’s statement. “However, our investigation is ongoing. We’ll provide further updates as our work progresses and we remain committed to being transparent throughout.”
Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.
Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.
