Companies House has restored its WebFiling service following a temporary shutdown to address a security vulnerability that had been active since October 2025. The flaw, which was reported by Dan Neidle of Tax Policy Associates after an initial discovery by John Hewitt, allowed unauthorized access to the private dashboards and sensitive data of five million registered UK companies.
The British government agency responsible for maintaining the corporate registry confirmed that the security gap was inadvertently created during a system update in October 2025. The vulnerability was significant because it exposed the home and email addresses of company management teams, though the agency now states the service is secure and back online as of Monday.
The security failure was first identified by John Hewitt of Ghost Mail, but it was only after Dan Neidle of Tax Policy Associates intervened that the UK corporate register took action. Neidle reported the issue on Friday when earlier attempts to alert the agency went unanswered. This report led to the immediate closure of the WebFiling portal to prevent further data exposure while a fix was implemented.
The actual method for exploiting the flaw was alarmingly simple and required no advanced hacking skills. A user would log into their own account and attempt to file for another company by entering any valid company number. When prompted for a mandatory authentication code that the user did not possess, the security check could be bypassed entirely by hitting the back button on the browser several times.
Instead of returning the user to their own secure area, the browser would redirect them to the private dashboard of the target company. This unintended access granted the user full view of the internal dashboard as if they were an authorized officer. Neidle noted that this specific loophole remained open for five months, potentially compromising every single entity registered in the system.
Data exposed during this period included highly sensitive personal details, specifically the home addresses and email contacts of company directors and management. Because the registry contains five million companies, the scope of the exposure was massive. The breach highlights a significant oversight in the agency’s technical quality control during its late 2025 system updates.
Companies House acknowledged the situation on Monday, explaining that the vulnerability was a direct result of changes made to the WebFiling infrastructure. While the service is now functioning again, the incident has raised questions regarding the agency's responsiveness to security researchers. The agency maintains that the underlying issue has been fully resolved and the platform is once again safe for corporate filings.
Source: UK Companies House Confirms Flaw Exposed Sensitive Business Data