Companies House has confirmed that its WebFiling service suffered a security issue that, in certain circumstances, allowed a logged-in WebFiling user to access and potentially change some details for companies they were not authorised to manage. The service was taken offline at 1.30 pm on Friday, 13 March 2026, and restored at 9 am on Monday, 16 March 2026, after what Companies House says was an investigation, remediation and independent testing.
The concern here is not just a routine outage. According to Companies House, data that is not normally public on the register may have been visible to other logged-in WebFiling users, including dates of birth, residential addresses and company email addresses. It also says it may have been possible for unauthorised filings to be made on another company’s record, including accounts filings or changes to directors.
Reporting from AccountingWEB and Tax Policy Associates says the flaw was alarmingly simple to exploit: a user could log in to their own account, choose the option to file for another company, enter another company number, and then use the browser back button in a particular way to land on that other company’s dashboard without the correct authentication code. AccountingWEB reports the issue potentially affected more than five million companies, and Companies House says its investigation indicates the problem was introduced in an October 2025 WebFiling update.
Companies House has also tried to draw some boundaries around the incident. It says that passwords were not compromised, that identity verification data, such as passport information, was not accessed, and that previously filed documents could not be altered once already on the register. It also says it has, at this stage, received no reports of any change to company details without permission, although its investigation is still ongoing. The incident has been reported to the Information Commissioner’s Office and the National Cyber Security Centre.
Even so, this is serious enough that every limited company, LLP and adviser should take a look at the register now rather than assume all is well. Other coverage has highlighted the risk of fraud and company hijacking if an attacker were able to submit changes or false filings during the window of exposure, even if the full scale is still unclear.
What business owners should check on their public Companies House record
Start with the free Companies House “Find and update company information” service and review your company record carefully. The public record is the quickest place to spot whether anything obvious has changed.
Check the basics first:
What you cannot easily check from the public record
The awkward part is that some of the data reportedly exposed was not public in the first place, including residential addresses, full dates of birth and company email addresses. That means you may not be able to tell from the public register alone whether someone viewed information they should not have seen. Companies House says it will email every company at its registered email address with guidance on what to check.
So even if your public record looks fine, it is still worth keeping an eye on:
What to do if you spot something wrong
If you find a change or filing on your company record that you did not authorise, do not ignore it and do not assume it will sort itself out.
First, take evidence straight away. Save screenshots, note the filing reference, download the relevant filing from the register, and keep a timeline of what you found and when.
Second, raise it with Companies House immediately. In its 16 March statement, Companies House specifically told companies with concerns to raise a complaint and include evidence.
Third, consider whether the problem is one of these specific categories:
If the registered office or service address has been changed wrongly, there is an official RP07 process to apply to change a disputed address.
If personal details are being used without your permission, there is separate GOV.UK guidance for reporting that to Companies House.
If a filing appears to be forged, invalid, ineffective or factually wrong, there are rectification routes available to ask Companies House to correct the register. GOV.UK also provides guidance on removing information that should never have been delivered.
If you believe there has been fraud or impersonation, treat it as more than an admin issue. Depending on the circumstances, you may need to speak to your accountant or solicitor, notify affected banks or lenders, and report the matter to Action Fraud or the police, as well as Companies House. Companies House itself notes there are limits to what it can do and that fraud issues may need to be reported elsewhere.
The bigger point
This incident is uncomfortable for a simple reason: Companies House is meant to be one of the core trust layers in UK business life. If business owners cannot be confident that only authorised people can access filing dashboards and submit changes, that confidence takes a knock.
The official line from Companies House is that the issue is fixed, that there is no evidence so far of unauthorised changes, and that the exposure was limited to logged-in WebFiling users acting on one company at a time rather than large-scale automated extraction. That may prove reassuring in part, but it is not the same as saying no harm was done. For now, the sensible approach is to check your record, stay alert, and keep evidence of anything that looks out of place.
For UK Business Forums members, this is exactly the sort of issue where the community can help: comparing notes, sharing what you are seeing on the register, and flagging any oddities quickly. If you run a limited company, today is a good day to look yourself up on Companies House and make sure the public record still says what it should.
The concern here is not just a routine outage. According to Companies House, data that is not normally public on the register may have been visible to other logged-in WebFiling users, including dates of birth, residential addresses and company email addresses. It also says it may have been possible for unauthorised filings to be made on another company’s record, including accounts filings or changes to directors.
Reporting from AccountingWEB and Tax Policy Associates says the flaw was alarmingly simple to exploit: a user could log in to their own account, choose the option to file for another company, enter another company number, and then use the browser back button in a particular way to land on that other company’s dashboard without the correct authentication code. AccountingWEB reports the issue potentially affected more than five million companies, and Companies House says its investigation indicates the problem was introduced in an October 2025 WebFiling update.
Companies House has also tried to draw some boundaries around the incident. It says that passwords were not compromised, that identity verification data, such as passport information, was not accessed, and that previously filed documents could not be altered once already on the register. It also says it has, at this stage, received no reports of any change to company details without permission, although its investigation is still ongoing. The incident has been reported to the Information Commissioner’s Office and the National Cyber Security Centre.
Even so, this is serious enough that every limited company, LLP and adviser should take a look at the register now rather than assume all is well. Other coverage has highlighted the risk of fraud and company hijacking if an attacker were able to submit changes or false filings during the window of exposure, even if the full scale is still unclear.
What business owners should check on their public Companies House record
Start with the free Companies House “Find and update company information” service and review your company record carefully. The public record is the quickest place to spot whether anything obvious has changed.
Check the basics first:
- Your registered office address. Make sure it is still correct and has not been changed to an address you do not recognise.
- Your directors and secretary details. Check names, appointment dates and service addresses.
- Your people with significant control (PSCs). Make sure no PSC has been added, removed or amended incorrectly.
- Your filing history. Look for any accounts, confirmation statement, officer appointment, termination, registered office change, or other filing you were not expecting.
- Your company status. Watch for anything unusual such as strike-off activity, unexpected notices or changes that do not fit with your own filing timetable.
- Your accounts and confirmation statement entries. Even if a filing looks routine, check the date and description carefully to make sure it really came from you or your agent.
What you cannot easily check from the public record
The awkward part is that some of the data reportedly exposed was not public in the first place, including residential addresses, full dates of birth and company email addresses. That means you may not be able to tell from the public register alone whether someone viewed information they should not have seen. Companies House says it will email every company at its registered email address with guidance on what to check.
So even if your public record looks fine, it is still worth keeping an eye on:
- unexpected emails claiming to be from Companies House
- strange post arriving at directors’ home or service addresses
- signs of attempted identity fraud or phishing
- messages from banks, lenders or suppliers querying filings you did not make
What to do if you spot something wrong
If you find a change or filing on your company record that you did not authorise, do not ignore it and do not assume it will sort itself out.
First, take evidence straight away. Save screenshots, note the filing reference, download the relevant filing from the register, and keep a timeline of what you found and when.
Second, raise it with Companies House immediately. In its 16 March statement, Companies House specifically told companies with concerns to raise a complaint and include evidence.
Third, consider whether the problem is one of these specific categories:
If the registered office or service address has been changed wrongly, there is an official RP07 process to apply to change a disputed address.
If personal details are being used without your permission, there is separate GOV.UK guidance for reporting that to Companies House.
If a filing appears to be forged, invalid, ineffective or factually wrong, there are rectification routes available to ask Companies House to correct the register. GOV.UK also provides guidance on removing information that should never have been delivered.
If you believe there has been fraud or impersonation, treat it as more than an admin issue. Depending on the circumstances, you may need to speak to your accountant or solicitor, notify affected banks or lenders, and report the matter to Action Fraud or the police, as well as Companies House. Companies House itself notes there are limits to what it can do and that fraud issues may need to be reported elsewhere.
The bigger point
This incident is uncomfortable for a simple reason: Companies House is meant to be one of the core trust layers in UK business life. If business owners cannot be confident that only authorised people can access filing dashboards and submit changes, that confidence takes a knock.
The official line from Companies House is that the issue is fixed, that there is no evidence so far of unauthorised changes, and that the exposure was limited to logged-in WebFiling users acting on one company at a time rather than large-scale automated extraction. That may prove reassuring in part, but it is not the same as saying no harm was done. For now, the sensible approach is to check your record, stay alert, and keep evidence of anything that looks out of place.
For UK Business Forums members, this is exactly the sort of issue where the community can help: comparing notes, sharing what you are seeing on the register, and flagging any oddities quickly. If you run a limited company, today is a good day to look yourself up on Companies House and make sure the public record still says what it should.
