CLARITYDW LIMITED Company Number 09792296 A Private Limited Company incorporated on 23 September 2015 Registered email address is Change email address(link opens in a new tab) 4 Registered office address is 53 Howard Road, Westbury Park, Bristol, England, BS6 7US Change address Get email reminders =™ Protect your company vZ« Current company information Activate eReminders Join PROOF Request email @ Accounts up-to-date @ Confirmation statement up-to-date Help with confirmation statement (7 Next accounts made up to 30 September 2025 due by Confirmation Statement Date 30 June 2026 9 September 2026 Last accounts made up to Next statement to be filed by

Companies House flaw exposed five million directors and enabled company hijacking

Companies House
By Dan Neidle

March 13, 2026

21 Comments

A major vulnerability in the Companies House website gave unauthorised access to the private dashboard of any of the five million registered companies for five months. It exposed directors’ home addresses and email addresses, and enabled attackers to change company and director details – and even file accounts.

This article sets out what we know, what we don’t, and what businesses should be doing to protect themselves. Updated 17 March 2026 with Companies House letter.

What is now confirmed:

  • Unauthorised access to any company’s dashboard
  • Vulnerability existed since October 2025
  • Bad actors could access non-public personal data
  • Bad actors could file accounts and company/director changes

What remains unconfirmed:

  • Whether it was exploited by criminals
  • Whether Companies House can identify affected companies

The vulnerability

It’s incredibly simple, and involves just pressing the “back” key at a particular time.

The vulnerability was discovered on Thursday 12 March by John Hewitt at Ghost Mail, a corporate services provider. He tried to contact Companies House immediately, but didn’t get a response – so he contacted us. This is a video of the Zoom call when John first demonstrated the vulnerability to me (edited only to redact personal information):

John used the vulnerability to view the private Companies House dashboard of ClarityDW Ltd, a digital communications consultancy owned by Jonathan Phillips. Jonathan kindly gave us permission to do this.

John then used it to view the dashboard of a company I own, and to modify my own registered address. That appeared to work, as it generated a confirmation number. As you will hear, I was incredulous at what John showed me.

I then spoke to computer security specialists. To rule out the possibility that it was something specific to John’s computer, network or account, I tested the vulnerability myself (again using Jonathan’s company as the target):

This shows the exploit revealing private information that’s not published by Companies House, such as personal email addresses and full dates of birth (and you can see that in the video, with Jonathan’s personal information masked).

These are precisely the kinds of data used for fraud: impersonation, phishing, identity checks, and social engineering – particularly targeting directors of small companies (as large companies generally have systems that mean one person alone cannot authorise payments).

I therefore alerted Companies House immediately. They responded swiftly by shutting down the e-filing system, and only after that did we (and the FT) publish this story.

How the exploit works

When John first contacted me, I assumed this was a highly technical exploit or “hack”. It was nothing of the sort.

All that was required was to log in to Companies House using your own details and access your own company’s dashboard. Then opt to “file for another company” and enter the company number for any one of the five million companies registered with Companies House. At that point you’d be asked for an authentication code, which of course you don’t have. No problem. Press the “back” key a few times to return to your dashboard. Except – it isn’t your dashboard. It’s the other company’s dashboard.

Anybody wishing to take advantage of the exploit could, for £100, incorporate their own company and obtain dashboard access (and there are various ways this could be done without leaving any trace back to those responsible).

Does the exploit enable modification of company data?

In the first video, you can see John changing my own registered address for a company (this was with my permission, and it needed changing anyway). The change appeared to go through, and we saw this confirmation:

-

There are two notable things here. First, we received a submission number. The technical experts we spoke to said that, whilst it was possible the edit was not really going through, the fact we saw a submission number suggested that it was. Second, the copy of the confirmation was emailed to John, and not to me (even though it was my company):

From: Companies House Sent: Friday, March 13, 2026 11:08 AM To: ghostmail.co.uk Subject: (LLCHO1) Change of details of a member of an LLP received or | Ps Companies House Thank mn for seu a submission for e (LLCHO1) Change of details of a member of an LLP Changing details for Daniel Mare NEIDLE on 13 March 2026 Your unique submission number is 114-409158 Please quote this number in any communications with Companies House. We will email you within 2 working days to confirm acceptance or rejection of this filing. For information on how your personal data is handled by Companies House see our privacy policy

This is extremely dangerous, because it means that any company that falls victim to this exploit would not receive a warning email.

We concluded from this that any filings could be made for any company, including changing registered office, director names/addresses, and filing accounts.

Has the vulnerability been exploited?

We don’t know. Five months is a long time for a vulnerability this serious to remain live. Research suggests that newly discovered vulnerabilities are, on average, exploited within 15 days.

The security experts we spoke to thought that, if the exploit had been live for longer than a few days, then there was a high chance that bad actors had discovered it. It could then have been sold to an organised group (on Telegram or the “dark web”).

It would be technically straightforward to scrape the hidden personal details of the directors of all five million companies, but sophisticated bad actors would expect that to trigger alerts at Companies House. A sophisticated criminal group would probably not use this exploit in the most obvious way. They would use it carefully, selectively, and for profit.

The experts we spoke to identified these as more likely uses of the exploit:

  • Use open source research to identify individuals vulnerable to identity fraud – and this would be more likely to be directors of small companies than billionaires. Then use the exploit to find their personal data – but limit this to hundreds of companies rather than millions.
  • If the exploit really does enable modification, then identify small companies that could plausibly borrow large amounts from banks, and change their details so that the criminals can open bank accounts and borrow in the name of those companies. This would be carried out on a small scale – say 20 companies each week borrowing £50,000 each. It would take some time for banks and/or authorities to realise that this was more than “conventional” fraud by e.g. forging signatures and intercepting post.

Companies House’s response

We told Companies House of the vulnerability as soon as we became aware of it; soon afterwards, the web filing system shut down, presenting this error message, and this on the “service availability” page:

AccessDeniedAccess Denied
Service availability and planned maintenance Friday 13 March - WebFiling service unavailable Our WebFiling service is currently unavailable due to a technical issue. We understand how important it is for our customers to meet filing deadlines, and we’re working to resolve the issue as quickly as possible. If you miss your filing deadline due to the service being unavailable, there’s no need to call us. File as soon as you can once the service is available, and take a screenshot of any error messages and note the time and date. We'll take this evidence into account if you cannot file. Friday 13 March - Set up a limited company and register for Corporation Tax unavailable The Set up a limited company and register for Corporation Tax service is unavailable.

On Monday 16 March, Companies House published a full statement revealing that the vulnerability had been live for five months.

News story Update on Companies House WebFiling security issue Statement from Andy King, Chief Executive of Companies House, on the WebFiling security issue. From: Companies House Published 16 March 2026 WebfFiling security issue On Friday 13 March, Companies House was made aware of a security issue which meant that a logged-in user of our WebFiling service could potentially access and change some elements of another company’s details without their consent after performing a specific set of actions. This was not accessible to the general public. Only users with an authorised code and logged in to the service could have performed this action. We closed WebFiling at 1:30pm on Friday 13 March while we investigated and resolved the issue. The service has been independently tested and is back online as of 9am on Monday 16 March. What data may have been affected Our investigation has established that specific data from individual companies not normally published on the Companies House register may have been visible to other logged-in WebFiling users. This includes dates of birth, residential addresses and company email addresses. It may also have been possible for unauthorised filings — such as accounts or changes of director — to have been made on another company’s record.
We want to be clear about what was not affected: « Passwords were not compromised. « No data used as part of our identity verification process, such as passport information, was accessed. * No existing filed documents, such as accounts or confirmation statements could have been altered. We believe that this issue could not have been used to extract data in large volumes or to access records systematically. Any access would have been limited to individual company records, viewed one ata time by a registered WebFiling user. Our investigation indicates that this issue was introduced when we updated our WebFiling systems in October 2025. What we are doing We have proactively reported this incident to the Information Commissioner’s Office (ICO) and the National Cyber Security Centre (NCSC). We are actively analysing our data to identify any anomalies, and we'll be emailing every company’s registered email address to explain how to check their details and what steps to take if they have any concerns. If we find evidence that anyone has used this issue to access or change another company’s details without authorisation, we will take firm action. What companies should do now We are asking all companies to check their registered details and filing history to make sure everything appears correct. If a company has a concern, please raise a complaint and include evidence to describe the concern. We have no reports at this stage of data having been accessed or changed without permission. However, our investigation is ongoing. We'll provide further updates as our work progresses and we remain committed to being transparent throughout. We'll soon be publishing a page with more details to answer any further questions you may have.
An apology | recognise that this incident will have caused concern and inconvenience to many of the companies and individuals who rely on our services. | am sorry for that. Companies House takes its responsibility to protect the data entrusted to us extremely seriously. We have taken swift action to secure and restore our service, and are committed to doing everything in our power to support those affected and to making sure that our services continue to merit the trust placed in them. Andy King Chief Executive Officer, Companies House Registrar of Companies for England and Wales Share this page The following links open ina new tab £) Facebook xX Twitter Published 16 March 2026 Explore the topic Government Business and industry

And on 17 March, Companies House sent an email to every company in the UK:

Companies House Eainbox - home Important information about your Companies House account To: Dan Neidle, Reply-To: no-reply@companieshouse.gov.uk as Companies House This is an official email from Companies House, sent to all registered email addresses, and is relevant to all companies registered in the UK. If you’re a third-party agent who has received this email on behalf of a company, please read and forward this message to the company director(s) of all companies you work with. We are writing to let you know about an issue that affected our WebFiling service, and to explain what you should do next. This advice is relevant to all companies, whether or not you use the WebFiling service to file. On Friday 13 March, we identified an issue with WebFiling. We took the service offline at 1:30pm that day while we investigated and fixed the problem. WebFiling has been independently tested and has been back online since 9am on Monday 16 March. The issue arose from a system update in October 2025 and was not the result of a malicious attempt to attack our systems. It is not a cyber-attack. The issue could only have been exploited by a logged-in user performing a specific set of actions. Our investigation found that it was technically possible for a logged-in registered user to: 16
1. See certain data not normally published on the public register: ¢ the day of the date of birth for directors and PSCs residential address for directors and PSCs * company registered email address 2. File updates to any information without consent. For example, new accounts or changes of director. We want to reassure you that: « You do not need to reset your WebFiling password. ¢ No identity verification data, such as passport information or personal codes, was accessed. e No existing filed documents could have been altered. e [f you have applied to protect your personal details under the Companies Act 2006, your information was not affected by this issue.
What you should do now We are contacting you proactively on a precautionary basis to make you aware of this issue. At this stage, we have no confirmed reports of any data having been accessed or changed without permission, and we believe the issue could not have been used to extract data in large volumes. However, as a precaution, please check your registered details and filing history to make sure everything looks correct. You can do this in WebFiling and on the Find and update company information service. lf anything seems incorrect or unexpected, please contact us on enquiries @companieshouse.gov.uk using ‘WebFiling issue’ in the subject heading. Please include as much detail as you can about your concern, including your company name and number. The more information you can give us to support our investigation — the easier it will be to resolve the issue for you. Further recommendations We also recommend signing up to our free Follow service. Follow sends you an instant email alert whenever a document is filed with us for any company you choose to follow — including your own. It’s a simple way to stay informed and spot anything unexpected as soon as it happens. You can sign up through the Find and update company information service and then select ‘Follow this company’ on your company’s page.
Next steps We have reported this incident to the Information Commissioner’s Office (ICO). We are analysing our data, and if we find evidence that anyone has accessed or changed another company’s details without authorisation, we will take firm action. We will keep you updated as our investigation progresses. An apology We recognise that this incident may have caused concern, and we are sorry for that. Companies House takes its responsibility to protect your data extremely seriously, and we are committed to doing everything we can to support those affected and to maintaining your trust in our services.

I am a little concerned that this is minimising what happened:

  • Saying the vulnerability “could only have been exploited by a logged-in user performing a specific set of actions” downplays the ease of bad actors gaining a Companies House login (very easy: just pay £100 to incorporate a company).
  • The “specific set of actions” sounds like it was something very obscure, when actually it was just pressing the “back” key four times. Given there are five million companies, and the vulnerability was present for five months, it would be surprising if it wasn’t discovered by accident on multiple occasions. The key question is whether it was ignored or exploited.
  • “It is not a cyber-attack” is true but is failing to disclose the actual risk – that the vulnerability could have been used to modify company data and then engineer a fraud on that company or its commercial counterparties/lenders.
  • It leaves open the question of whether Companies House actually can ascertain if the vulnerability was used to access or modify data. The security experts we spoke to thought that, if Companies House had standard audit logging in place, it should be able to see which logged-in accounts accessed unrelated companies’ dashboards, when that happened, and whether they then attempted filings or changes. That ought to make at least some retrospective investigation possible.

What happens next

There are obvious security and GDPR implications of revealing directors’ home and email addresses for millions of companies. All the more so if nobody knows which companies were impacted by the vulnerability.

Companies House has obligations under UK GDPR:

  • to notify the Information Commissioner within 72 hours (it appears this has been done), and
  • because this is a “high risk breach“, to notify all those affected “without undue delay”. The general alert (as above) partly satisfies that, but if Companies House becomes aware that any company’s specific data was accessed or modified then they would be required to notify that company.

We expect the Information Commissioner’s Office would take this very seriously, although its usual policy is not to fine public authorities.

What should businesses be doing?

At the present time we have no idea if the exploit was used by bad actors (or indeed just pranksters).

It would seem very sensible for all companies to check their Companies House data and make sure it is as they expect.

Thanks most of all to John Hewitt at Ghost Mail. I hope he receives formal thanks from Companies House.

Thanks to Jonathan Phillips for helping verify the vulnerability, and allowing his own company to be used as a guinea pig.

Thanks to P, T and K for their computer security expertise, and B for Computer Misuse Act advice.

Footnotes

  1. Any “penetration testing” of Companies House has to be conducted very carefully because of the potential to commit a criminal offence, under either the Companies Act or the Computer Misuse Act. Neither has a public interest defence. In our case, access was authorised (by me and Jon) so no offence is committed under the Computer Misuse Act, and whilst John did modify my company data, the modification resulted in accurate data being submitted to Companies House. ↩︎

  2. We couldn’t immediately see if our test change was effective, because it normally takes around 24 hours for changes to be reflected in the dashboard – and the dashboard was shut down almost immediately afterwards. As of Monday 16 March, the dashboard is back up, and this change has not gone through. However that may be because the specific change we made was blocked by Companies House; their email (below) confirms that changes could be made. ↩︎

  3. The “easy” nature of the exploit paradoxically means that the usual automated vulnerability scanners would probably not detect it; however the number of bad actors routinely using Companies House for nefarious purposes means that they could just have discovered it the same way John did. ↩︎

Further reading

Herran| Business Banking Personal Banking Lending Services Learn PREMIER Business Banking: Your Trusted Partner Delivering personalization, agility and entrepreneurship in banking ; Fully Insured Deposits - ¢+ Innovative Solutions "Trusted Advisor & Partner About Us

Herran Finance – another fake bank at Companies House

Every Monday morning, we publish an updated list of every PLC in the UK that has failed to file its accounts on time. Sometimes…
CERTIFICATE OF INCORPORATION OFA PRIVATE LIMITED COMPANY Company Number 14695023 The Registrar of Companies for England and Wales, hereby certifies that UBS GROUP AG LTD is this day incorporated under the Companies Act 2006 as a private company, that the company is limited by shares, and the situation of its registered office is in England and Wales Given at Companies House, Cardiff, on 28th February 2023

Who’s behind the fake banks on Companies House?

One man has set up a series of fake banks on Companies House – with real bank names, no checks, and zero consequences. When…
Companies House headquarters

UK companies with no UK director are 17× more likely to show signs of fraud

A new analysis by Tax Policy Associates shows that 900,000 UK companies have no UK directors – all their directors live abroad. This is…
-

How criminals use “muppets” to commit corporate fraud – and how to stop them

Many fraudulent companies at Companies House are run by entirely fake directors – non-existent people with fabricated identities. But many others are fronted by…
Seasoil Limited 4 Hight oct Liatiedic Technol es Group pl dation BAMK Lit Zoella Limited Logonsnvestr ecommerce Business Limited Corporation Limite fer Bio Lim e@ofer Gasl Limited ght Facilittg ement Limited ¢ venor Barclay LLP Kolpidis Limited ig ple KTII Limited Bofer Wealth ple xander Foundagger Corporation Eleeeronic Money ssuer Limited Smith Rarria

Who is Michail Roerich, and why did he build the world’s most convincing fake companies?

A mining giant claiming £4bn in revenue, certified by a fake auditor on 128 pages of meticulously detailed fake accounts. A bank with a…
-

Two clicks to uncover fake companies on Companies House

We’ve been reporting on the shockingly brazen accounting frauds that slip through Companies House. Our new web-based fraud-finding tool takes just a few clicks…

21 responses to “Companies House flaw exposed five million directors and enabled company hijacking”

  1. Oli Thomas avatar
    Oli Thomas

    Interesting read, thanks for the coverage/details on the issue. I agree that today’s email announcement downplays the severity of the issue quite a bit.

    Reply
  2. Ken Murphy avatar
    Ken Murphy

    Vibe coding… more than just vibes!

    Reply
  3. John Everett avatar
    John Everett

    No one will be held accountable. As a comment above says, MTD will be the next shambles.

    Reply
  4. A Patel avatar
    A Patel

    Any ideas on when this will be resolved?

    Reply
    1. Dan Neidle avatar
      Dan Neidle

      none at all! All still down.

      Reply
  5. Dr Reuben Kirkham avatar
    Dr Reuben Kirkham

    Lets hope they kept logs of all requests that were made and by whom and that these are accurate, so they can track down who used this feature and for whom.

    Otherwise, everyone will have to assume their home address leaked. For some people, this could be very serious.

    Reply
  6. Robert Simons avatar
    Robert Simons

    It looks to me to be intrinsic to the implementation, i.e. it will have been there from when they got the new Web Filing system working with their Digital ID. Nationwide’s browser-based on-line banking app doesn’t support the Back button: you always have to click on another link on the page and move forward. I surmise that it’s very hard to implement the Back button without opening yourself to vulnerabilities.

    I was distinctly underwhelmed with Companies House’s implementation of Digital ID and the lack of clarity about what you had to do. They told you that you had to have a Digital ID and that it was tied to an email. What they didn’t make clear was that you could have many Digital IDs so long as each one used a separate email address.

    As I thought that I’d only be able to get one Digital ID, I thought I’d better get it for my personal email. In order to avoid being locked out of accessing my company’s records, I therefore changed my registered email address for Companies House to my personal one and got a Digital ID for it. I then used it to complete the registration for Companies House.

    When I established that I could have more than one Digital ID, I got one for my business email address and tried to switch my registration at Companies House. If it’s possible, I haven’t found how to do it, nor has Companies House support been able to show me. The whole way that you get thrown back into the generic OneID pages is so clunky that I’d be astonished if the system hadn’t had vulnerabilities.

    Reply
    1. Pikolo avatar
      Pikolo

      The back button has nothing to do with this – the inability to handle a back button gracefully is evidence of either developer incompetence, or a paranoid WAF* configuration. This sounds like a classic “authentication is not authorization” issue – the API was validating that you were a logged in user, but was not validating that you were the authorized to view this specific company’s private details. Authorization checks were probably only implemented in the UI layer, and that is simply not possible to do securely.

      Terms:
      WAF – Web Application Firewall – usually a tool used to make insecure websites appear less insecure, occasionally an element of defence in depth
      authentication – verifying the user is who they say they are
      authorization – verifying the user is allowed to perform a specific operation

      Reply
      1. Dan Neidle avatar
        Dan Neidle

        many thanks!

        Reply
    2. David Batley avatar
      David Batley

      I’ve always assumed the back button is disabled by banks to prevent making the same payment twice, showing an old version of the balance, etc. For access control, there’s no real difference between someone going “back” vs typing a previous url into the address bar.

      I would assume the cause is somewhat boring, eg: if the server remembers a “company_id” for the logged in user: one page assumes that being set implies you can access it, another page sets it before authorization is complete?

      I’m glad Companies House are treating this as an urgent, serious matter (as they should)

      Reply
  7. Paul Weir avatar
    Paul Weir

    This makes a complete mockery of the hoops my co-directors are having to jump through to get a security code to access Companies House or be fined. In one case the person is having to buy a passport just to prove his identity even though he doesn’t travel and can no longer drive (hence no driving licence). The website to obtain a onegov (full stop removed) identity is the worst website I have ever encountered, and I’m quite tech savvy. It send people round in circles, sometimes to multiple websites. It is very difficult to have confidence in the security of the government’s websites. The earliest HMRC site was also rubbish.

    Reply
    1. Marcus Hassall avatar
      Marcus Hassall

      The ID implementation was the most incompetent rollout process I have ever seen – it was pure chance as to whether accurate information was accepted, and full of “same click, different result” problems. I still have 3 of our Trustees to get through it. This new failure of security basics is of a piece – if you can’t sort one basic process, you can’t be relied upon to sort any basic process.

      Reply
    2. Bob Daniel avatar
      Bob Daniel

      Agreed. It’s a shambles. And don’t get me going on the PSC notification process. Dire threats of penalties for not complying with their self-contradicting rules.

      Reply
  8. Nelson Fernandes Serrao avatar
    Nelson Fernandes Serrao

    This is absolutely shocking!

    There will obviously have to be a full investigation, but this sounds like the current company number is being stored to a cookie/the session and being read blindly… without further validation. Navigating to check for that different company must then be setting that to the new company number…

    Blindly trusting *anything* the user can access/change/manipulate is just a big no-no. Having built sensitive databases myself, you *never* trust the information the browser is reporting.

    Reply
  9. Damian Williams avatar
    Damian Williams

    I find it difficult to believe that any major software changes to the website (or an accumulation of of minor changes) that exposes sensitive information to users are not fully penetration tested before release to ensure that such “horizontal access” cannot happen.
    Any reputable, competent, commercial developer should (and probably would) include this as a matter of routine via policy and procedure.
    If you have any cyber-security contacts, it might be worth asking them for an informed opinion as to just how serious this could be reputationally and financially if this had happened in the financial or some other commercial sector, and how lucky Companies House that the [presumed] first person to find it disclosed it responsibly.
    Anything a human can do on a computer can be automated which means it would have been trivially easy to extract and/or update every record at CH with new information.
    (There are some technical restraints on how often you can call their API but with careful targeting, you could do a lot of damage before these were hit).

    Reply
    1. Richard Sage avatar
      Richard Sage

      Software companies (and software consultants to customers like Companies House) don’t do testing nowadays. So 1990s!

      Reply
  10. Joe Williams avatar
    Joe Williams

    The workflow for adding a new company to your WebFiling account was changed in the past few months – I believe it was at the same time as the OneGov login integration was added. I wonder if that’s what introduced the issue.

    Reply
  11. Jack Harper avatar
    Jack Harper

    The 2 golden rules of digitalisation are:
    1 Don’t do it before you can;
    2 Don’t do it just because you can.

    As we are dragged involuntarily with indecent haste into the jobless apocalyptic dystopia of out AI future we must expect more data breaches and service outages .

    On the horizon;
    1 the Making Tax Difficult Meltdown;
    2 the imminent catastrophe of BT’s compulsory Switchover from landlines to WiFi coupled with the completed disappearance of public phone boxes. All digital eggs in one basket.

    Reply
  12. Simon Haslam avatar
    Simon Haslam

    sheesh – this is seriously scary, and is a major GDPR breach by Companies House – I assume they will be referring themselves to the ICO?

    Reply
    1. Marcus Hassall avatar
      Marcus Hassall

      They have to – and they have 5 million alert letters/emails to send… plus manage the responses. I guess the Confirmation Statement Fee will be going up massively again.

      Reply
  13. Paul avatar
    Paul

    That’s so bad! Wonder how long that’s been in place and if it’s been used for any dubious activity.

    Reply

Leave a Reply to Richard Sage Cancel reply

Your email address will not be published. Required fields are marked *

Legal and privacy

© 2026 Tax Policy Associates Ltd. A non-profit company limited by guarantee (no. 14053878)

RSS feed