The Back Button Breach: When Five Million Directors Met the Browser's Undo Function

Friday 13th March, 1:30pm: The Day the Registry Broke

On Friday 13 March, Companies House discovered that logged-in users could "potentially access and change some elements of another company's details without their consent after performing a specific set of actions." The service was promptly closed at 1:30pm while investigators scrambled to understand what had gone wrong.

What had gone wrong was this: anyone with a WebFiling account could select 'file for another company', enter any company number, and when prompted for an authentication code they didn't have, simply press the back button four times. This would automatically log them into the targeted company's account.

Four clicks. That's all it took to access the private dashboards of five million registered companies. Not sophisticated hacking tools. Not social engineering. The browser's back button.

The Absurdity of Simplicity

The vulnerability was discovered by John Hewitt at Ghost Mail, a corporate services provider, who tried to contact Companies House immediately but received no response. Tax Policy Associates founder Dan Neidle called it "an absolutely insane flaw in how easy it is to find."

The issue dated back to October 2025, when Companies House updated its systems to integrate with GOV.UK One Login, replacing the older Government Gateway. The vulnerability may have existed undetected for up to five months.

Five months. During which any of the millions of users logging in to file confirmation statements, submit accounts, or update director details could have accidentally or deliberately wandered into someone else's corporate filing cabinet.

What Was Actually Exposed

Companies House confirmed that "specific data from individual companies not normally published on the Companies House register may have been visible to other logged-in WebFiling users." This included the sort of information that makes compliance officers wake up in cold sweats: directors' dates of birth, residential addresses, and company email addresses. It may also have been possible for unauthorised filings to have been made on another company's record.

Someone could have submitted filings on behalf of another company while the flaw was active, including company accounts or changes to director details that would appear on the affected company's public record.

The Weekend of Reckoning

WebFiling was closed at 1:30pm on Friday 13 March and remained offline until 9am on Monday 16 March after independent testing confirmed the fix.

Companies House CEO Andy King later told parliament's Business and Trade Committee that "extensive analysis of system records" was underway to identify anomalous activity, though investigations were ongoing with "indicative findings suggest[ing] that the issue was caused by an application defect which was not identified during testing or by peer review."

What This Means for Your Monday Morning

Companies House is asking all companies to check their registered details and filing history to ensure everything appears correct, with concerns to be reported to enquiries@companieshouse.gov.uk using 'WebFiling issue' in the subject heading.

Some of the potentially exposed data wasn't public in the first place, meaning you may not be able to tell from the public register alone whether someone viewed information they shouldn't have seen.

Directors should immediately:

1. Review your Companies House record for any unexpected filings since October 2025
2. Check director details for unauthorised changes to addresses or contact information
3. Scrutinise filing dates to ensure all submissions genuinely came from you or your authorised agents
4. Set up the Follow feature on Companies House to receive alerts when changes are made

Professional service providers are reporting they "have not identified any unexpected filings for any of our company secretarial clients in the period from October 2025 to 16 March 2026," though they're advising all clients to review their records.

The Long View

Andy King acknowledged to MPs that while this wasn't a cyber-attack, Companies House is "continuing to strengthen our security posture" and "developing a case for investment to modernise our architecture and reduce risks associated with legacy applications."

The registry that oversees five million companies had been running on systems that couldn't handle a browser's back button gracefully.

Companies House reports "no reports at this stage of data having been accessed or changed without permission," though their investigation continues. Whether that's because nothing happened or because they can't tell the difference remains an open question.

With Companies House identity verification deadlines looming for existing directors (November 2026), and the agency's expanded powers under ECCTA coming into full effect, the back button breach feels like an ominous preview. Companies House is asking for our trust while simultaneously asking us to check whether someone's been rifling through our digital filing cabinets.

The confirmation statement deadline waits for no security incident. Neither does the nine-month accounts filing window that starts ticking from your year-end, regardless of whether Companies House can tell a back button from a security breach.