UK Companies House Data Leak: Millions of Firms’ Details Exposed
Security Vulnerability Discovered in Companies House Web Application
A critical vulnerability was discovered in the web application of Companies House, the UK government agency responsible for maintaining the public register of companies.
Vulnerability Details
The security hole, which existed for several months before a patch was rolled out, allowed any logged-in user to access and modify the accounts of other companies on the platform.
The vulnerability was found by John Hewitt of Ghost Mail on March 12, but it is believed to have been introduced in October 2025.
An attacker could have exploited the flaw to gain access to non-public information of approximately five million companies, as well as submit unauthorized filings and modify company details.
Exploiting the Vulnerability
The attack required no technical skills and could have been carried out by selecting the ‘file for another company’ option, entering the unique company number, and pressing the back button a few times to bypass authentication.
This would have granted the attacker automatic access to the targeted company’s account.
Statement from Companies House
Impact and Resolution
The agency stated that it believes the issue could not have been used to extract data in large volumes or access records systematically, and that any access would have been limited to individual company records viewed one at a time.
However, Companies House advised companies to verify their details and filing history and report any concerns, as it is not aware of any instances of data being accessed or changed through the exploitation of this vulnerability.
The vulnerability was addressed over the weekend after the WebFiling service was shut down on Friday.
Companies House emphasized that the security hole was not accessible to the general public and could only be exploited by authorized users with a valid login and authentication code.
About Author
English