Companies House flaw exposed five million directors and enabled company hijacking

Companies House
By Dan Neidle

March 13, 2026

11 Comments

A major vulnerability in the Companies House website enabled free access to the “dashboard” of any of the five million registered companies. It revealed directors’ home addresses and email addresses, and appears to have enabled modification of company and director details – even filing of accounts.

The vulnerability was discovered yesterday by John Hewitt at Ghost Mail, a corporate services provider. He got in touch with us immediately. We verified the issue and alerted Companies House immediately. Their systems have now been temporarily shut down, which is why we are publishing. The FT have the story here.

It’s best demonstrated with this short video. It shows me using the vulnerability to view the private Companies House dashboard of ClarityDW Ltd, a digital communications consultancy owned by Jonathan Phillips. Jonathan kindly gave us permission to do this:

When John first told me, I assumed it was a highly technical exploit or “hack”. It was nothing of the sort. All that was required was to log in to Companies House using your own details and access your own company’s dashboard. Then opt to “file for another company” and enter the company number for any one of the five million companies registered with Companies House. At that point you’d be asked for an authentication code, which of course you don’t have. No problem. Press the “back” key a few times to return to your dashboard. Except – it isn’t your dashboard. It’s the other company’s dashboard.

When John first showed this, I thought it might be something odd about his account or his computer. So I verified myself – and it worked immediately. It reveals all the information usually available on the dashboard, including private information that’s not shown, such as personal email addresses and full dates of birth (and you can see that in the video, with Jonathan’s personal information masked).

We also verified that the vulnerability appeared to enable editing. John Hewitt, with my permission, edited my home address for a company that I own. The system appeared to accept this in the same way as any normal edit (although we don’t know at this point if it would have taken effect). It also looks like it was possible to file accounts.

We told Companies House of the vulnerability as soon as we became aware of it; soon afterwards, the web filing system shut down, presenting this:

We received this response from Companies House’s press office:

And the service availability page says:

The obvious questions are:

  • How long was Companies House’s website vulnerable to this “exploit” (if we can call it that)? Hours, days or months? Research suggests an exploit will, on average, be exploited within 15 days.
  • Can Companies House track the usage of the exploit, and see which companies were impacted?

There are obvious security and GDPR implications of revealing directors’ home and email addresses for millions of companies. All the more so if nobody knows which companies were impacted by the vulnerability.

Thanks most of all to John Hewitt at Ghost Mail. I hope he receives formal thanks from Companies House.

And thanks to Jonathan Phillips for helping verify the vulnerability, and allowing his own company to be used as a guinea pig.

Further reading

Herran| Business Banking Personal Banking Lending Services Learn PREMIER Business Banking: Your Trusted Partner Delivering personalization, agility and entrepreneurship in banking ; Fully Insured Deposits - ¢+ Innovative Solutions "Trusted Advisor & Partner About Us

Herran Finance – another fake bank at Companies House

Every Monday morning, we publish an updated list of every PLC in the UK that has failed to file its accounts on time. Sometimes…
CERTIFICATE OF INCORPORATION OFA PRIVATE LIMITED COMPANY Company Number 14695023 The Registrar of Companies for England and Wales, hereby certifies that UBS GROUP AG LTD is this day incorporated under the Companies Act 2006 as a private company, that the company is limited by shares, and the situation of its registered office is in England and Wales Given at Companies House, Cardiff, on 28th February 2023

Who’s behind the fake banks on Companies House?

One man has set up a series of fake banks on Companies House – with real bank names, no checks, and zero consequences. When…
Companies House headquarters

UK companies with no UK director are 17× more likely to show signs of fraud

A new analysis by Tax Policy Associates shows that 900,000 UK companies have no UK directors – all their directors live abroad. This is…
-

How criminals use “muppets” to commit corporate fraud – and how to stop them

Many fraudulent companies at Companies House are run by entirely fake directors – non-existent people with fabricated identities. But many others are fronted by…
Seasoil Limited 4 Hight oct Liatiedic Technol es Group pl dation BAMK Lit Zoella Limited Logonsnvestr ecommerce Business Limited Corporation Limite fer Bio Lim e@ofer Gasl Limited ght Facilittg ement Limited ¢ venor Barclay LLP Kolpidis Limited ig ple KTII Limited Bofer Wealth ple xander Foundagger Corporation Eleeeronic Money ssuer Limited Smith Rarria

Who is Michail Roerich, and why did he build the world’s most convincing fake companies?

A mining giant claiming £4bn in revenue, certified by a fake auditor on 128 pages of meticulously detailed fake accounts. A bank with a…
-

Two clicks to uncover fake companies on Companies House

We’ve been reporting on the shockingly brazen accounting frauds that slip through Companies House. Our new web-based fraud-finding tool takes just a few clicks…

11 responses to “Companies House flaw exposed five million directors and enabled company hijacking”

  1. Robert Simons avatar
    Robert Simons

    It looks to me to be intrinsic to the implementation, i.e. it will have been there from when they got the new Web Filing system working with their Digital ID. Nationwide’s browser-based on-line banking app doesn’t support the Back button: you always have to click on another link on the page and move forward. I surmise that it’s very hard to implement the Back button without opening yourself to vulnerabilities.

    I was distinctly underwhelmed with Companies House’s implementation of Digital ID and the lack of clarity about what you had to do. They told you that you had to have a Digital ID and that it was tied to an email. What they didn’t make clear was that you could have many Digital IDs so long as each one used a separate email address.

    As I thought that I’d only be able to get one Digital ID, I thought I’d better get it for my personal email. In order to avoid being locked out of accessing my company’s records, I therefore changed my registered email address for Companies House to my personal one and got a Digital ID for it. I then used it to complete the registration for Companies House.

    When I established that I could have more than one Digital ID, I got one for my business email address and tried to switch my registration at Companies House. If it’s possible, I haven’t found how to do it, nor has Companies House support been able to show me. The whole way that you get thrown back into the generic OneID pages is so clunky that I’d be astonished if the system hadn’t had vulnerabilities.

    Reply
    1. Pikolo avatar
      Pikolo

      The back button has nothing to do with this – the inability to handle a back button gracefully is evidence of either developer incompetence, or a paranoid WAF* configuration. This sounds like a classic “authentication is not authorization” issue – the API was validating that you were a logged in user, but was not validating that you were the authorized to view this specific company’s private details. Authorization checks were probably only implemented in the UI layer, and that is simply not possible to do securely.

      Terms:
      WAF – Web Application Firewall – usually a tool used to make insecure websites appear less insecure, occasionally an element of defence in depth
      authentication – verifying the user is who they say they are
      authorization – verifying the user is allowed to perform a specific operation

      Reply
      1. Dan Neidle avatar
        Dan Neidle

        many thanks!

        Reply
    2. David Batley avatar
      David Batley

      I’ve always assumed the back button is disabled by banks to prevent making the same payment twice, showing an old version of the balance, etc. For access control, there’s no real difference between someone going “back” vs typing a previous url into the address bar.

      I would assume the cause is somewhat boring, eg: if the server remembers a “company_id” for the logged in user: one page assumes that being set implies you can access it, another page sets it before authorization is complete?

      I’m glad Companies House are treating this as an urgent, serious matter (as they should)

      Reply
  2. Paul Weir avatar
    Paul Weir

    This makes a complete mockery of the hoops my co-directors are having to jump through to get a security code to access Companies House or be fined. In one case the person is having to buy a passport just to prove his identity even though he doesn’t travel and can no longer drive (hence no driving licence). The website to obtain a onegov (full stop removed) identity is the worst website I have ever encountered, and I’m quite tech savvy. It send people round in circles, sometimes to multiple websites. It is very difficult to have confidence in the security of the government’s websites. The earliest HMRC site was also rubbish.

    Reply
  3. Nelson Fernandes Serrao avatar
    Nelson Fernandes Serrao

    This is absolutely shocking!

    There will obviously have to be a full investigation, but this sounds like the current company number is being stored to a cookie/the session and being read blindly… without further validation. Navigating to check for that different company must then be setting that to the new company number…

    Blindly trusting *anything* the user can access/change/manipulate is just a big no-no. Having built sensitive databases myself, you *never* trust the information the browser is reporting.

    Reply
  4. Damian Williams avatar
    Damian Williams

    I find it difficult to believe that any major software changes to the website (or an accumulation of of minor changes) that exposes sensitive information to users are not fully penetration tested before release to ensure that such “horizontal access” cannot happen.
    Any reputable, competent, commercial developer should (and probably would) include this as a matter of routine via policy and procedure.
    If you have any cyber-security contacts, it might be worth asking them for an informed opinion as to just how serious this could be reputationally and financially if this had happened in the financial or some other commercial sector, and how lucky Companies House that the [presumed] first person to find it disclosed it responsibly.
    Anything a human can do on a computer can be automated which means it would have been trivially easy to extract and/or update every record at CH with new information.
    (There are some technical restraints on how often you can call their API but with careful targeting, you could do a lot of damage before these were hit).

    Reply
  5. Joe Williams avatar
    Joe Williams

    The workflow for adding a new company to your WebFiling account was changed in the past few months – I believe it was at the same time as the OneGov login integration was added. I wonder if that’s what introduced the issue.

    Reply
  6. Jack Harper avatar
    Jack Harper

    The 2 golden rules of digitalisation are:
    1 Don’t do it before you can;
    2 Don’t do it just because you can.

    As we are dragged involuntarily with indecent haste into the jobless apocalyptic dystopia of out AI future we must expect more data breaches and service outages .

    On the horizon;
    1 the Making Tax Difficult Meltdown;
    2 the imminent catastrophe of BT’s compulsory Switchover from landlines to WiFi coupled with the completed disappearance of public phone boxes. All digital eggs in one basket.

    Reply
  7. Simon Haslam avatar
    Simon Haslam

    sheesh – this is seriously scary, and is a major GDPR breach by Companies House – I assume they will be referring themselves to the ICO?

    Reply
  8. Paul avatar
    Paul

    That’s so bad! Wonder how long that’s been in place and if it’s been used for any dubious activity.

    Reply

Leave a Reply to Damian Williams Cancel reply

Your email address will not be published. Required fields are marked *

Legal and privacy

© 2026 Tax Policy Associates Ltd. A non-profit company limited by guarantee (no. 14053878)

RSS feed