Companies House WebFiling dashboard access-control security flaw
Vulnerability
Summary
Hide ▲
Show ▼
Companies House has taken its WebFiling dashboard offline after a serious flaw let authenticated users reach other companies’ dashboards, creating fraud and unauthorized-change risk across about five million companies. The weakness exposed directors’ personal and corporate details, including email addresses and dates of birth. It also could let an attacker alter registration records, opening the door to phishing and bank-account fraud. The agency is investigating while users are being told to review their registration data for unauthorized changes.
Related Happenings
Companies House WebFiling data exposure affecting five million registered companies
Data Leak
First: 16.03.2026 19:07
Last: 16.03.2026 19:07
Sources 1
How related:
Neidle added that the flaw exposed the data of five million registered companies for five months, including their management's home and email addresses.
About this happening:
A **Companies House WebFiling** access-control flaw exposed non-public company records to unauthorized logged-in users, creating a privacy and integrity risk for millions of filin...
Companies House WebFiling data exposure affecting five million registered companies
Data LeakHow related: Neidle added that the flaw exposed the data of five million registered companies for five months, including their management's home and email addresses.
About this happening: A **Companies House WebFiling** access-control flaw exposed non-public company records to unauthorized logged-in users, creating a privacy and integrity risk for millions of filin...
Timeline
-
16.03.2026 12:30 2 articles · 2mo ago
Companies House suspends WebFiling dashboard after access-control flaw
Mitigation Patch UpdateCompanies House suspended access to its WebFiling dashboard after being notified of a serious access-control flaw that let a logged-in user move from their own company dashboard into another company's dashboard, creating risk of unauthorized registration changes and exposure of directors' email addresses and dates of birth.
Show sources
- UK: Companies House Web Glitch Exposes Corporate Details to Fraudsters — www.infosecurity-magazine.com — 16.03.2026 12:30
- UK’s Companies House confirms security flaw exposed business data — www.bleepingcomputer.com — 16.03.2026 19:07
-
16.03.2026 12:30 1 articles · 2mo ago
Public disclosure of the Companies House dashboard switching flaw
Initial DisclosureDan Neidle of Tax Policy Associates and John Hewitt of Ghost Mail described a simple login flow that could reach another company's dashboard for any of the five million companies registered with Companies House, exposing personal and corporate data and creating follow-on phishing and bank-account fraud risk; directors were advised to check both public and non-public registration details for unauthorized changes.
Show sources
- UK: Companies House Web Glitch Exposes Corporate Details to Fraudsters — www.infosecurity-magazine.com — 16.03.2026 12:30