159/69 Thursday, March 19, 2026
Companies House has confirmed a critical security vulnerability in its WebFiling service, potentially putting data from more than 5 million registered companies at risk. The flaw was discovered by researchers from Ghost Mail on March 12, 2026, but investigations revealed that the issue had been present in the system since October 2025. The agency temporarily took the service offline and deployed a patch over the weekend to address the issue.
The vulnerability allowed authenticated users to access other companies’ accounts without advanced technical skills. By simply entering a target company number and repeatedly using the browser’s back button, attackers could bypass verification checks. This method enabled unauthorized access to non-public director information, including dates of birth, residential addresses, and email addresses, and also allowed attackers to modify company details or submit filings without authorization.
Companies House stated that the vulnerability did not expose passwords or identity verification documents such as passports, and it is believed that the flaw could not be easily exploited for large-scale automated data extraction, as access was limited to one company at a time. Although there is currently no evidence of malicious exploitation, the agency has advised all companies to review their filing history and company records and to report any suspicious activity immediately.
Source https://www.securityweek.com/uk-companies-house-exposed-details-of-millions-of-firms/