The UK's official corporate registry, Companies House, has confirmed a significant security vulnerability within its WebFiling service that exposed the sensitive information of approximately five million registered businesses. The flaw, which was active for five months from October 2025, allowed authenticated users to bypass intended access controls. According to cybersecurity researcher Dan Neidle, founder of Tax Policy Associates, the exploit sequence was alarmingly simple: a user would log into their own company dashboard, select the option to "file for another company," and input any other company's registration number. When prompted for an authentication code—which the user would not possess—they could simply press the browser's 'back' button multiple times. This action would circumvent the security check, redirecting the user not to their own dashboard, but to the full company dashboard of the initially targeted firm.
The exposed data included highly sensitive personal information, such as the home addresses and email addresses of company directors and other management personnel. This type of data is a prime target for phishing campaigns, identity theft, and other forms of corporate espionage. The vulnerability was reportedly discovered by John Hewitt of Ghost Mail, but after failing to receive a response from Companies House, the issue was escalated by Dan Neidle. In response, Companies House took its WebFiling service offline on Friday to implement a fix, bringing it back online by Monday with the vulnerability resolved. The agency attributed the security gap to a system update performed in October 2025, highlighting the critical need for rigorous security testing following any IT infrastructure changes.
This incident underscores a persistent challenge in public sector digital services: balancing accessibility with robust security. While services like WebFiling are designed for convenience, a single logic flaw in authentication workflows can lead to massive data breaches. The five-month exposure window is particularly concerning, suggesting a potential gap in proactive security monitoring or vulnerability disclosure processes. Organizations managing vast public datasets must implement stringent continuous security validation, including regular penetration testing and automated checks for authorization bypasses, to prevent such "broken access control" flaws, which are consistently ranked among the top web application security risks by OWASP.
The broader cybersecurity landscape this week also featured several other critical threats. The AppsFlyer Web SDK was hijacked to distribute cryptocurrency-stealing JavaScript, the FBI is investigating malware distributed through Steam games, and CISA warned of active exploitation of a flaw in Wing FTP Server. Meanwhile, Microsoft addressed an issue where a Samsung app was blocking access to the Windows C: drive and detailed a sophisticated attack on Stryker that wiped thousands of devices without using traditional malware. These events collectively emphasize that threats are evolving across all vectors—from third-party software supply chains and popular gaming platforms to enterprise applications and physical medical devices—requiring a vigilant, multi-layered defense strategy.
