A massive security vulnerability discovered at Companies House last week by chance allowed unauthorised users to access the private dashboards of any of the 5 million registered UK companies—potentially enabling bad actors to “hijack” a business with just a company number
Why it matters to freelancers
For freelancers and small business owners, your company is often your livelihood. This flaw didn’t just expose public data; it gave access to:
Private data: Non-public home addresses and personal email addresses of directors
Company control: The ability to change director details, registered offices, and even file accounts
Silent exploits: When an unauthorised change was made via this flaw, the confirmation email was sent to the attacker, not the legitimate owner. This means you might not know your company had been hijacked until a loan was taken out in its name
How was the Companies House vulnerability discovered?
The vulnerability, discovered by John Hewitt of Ghost Mail and reported by Tax Policy Associates, was shockingly simple.
The back door: A user could log into their own company dashboard, click “file for another company,” and enter any company number to gain full access to that entity’s private records and filing capabilities.
The scale: Approximately 5 million directors were potentially exposed.
Current status: Companies House has since disabled the affected dashboard features to patch the hole, but it remains unclear how long the window was open or if data was scraped by organised criminal groups.
What should freelancers do?
Check your records: Search your company on the Companies House register immediately to ensure no unauthorised filings (such as a change of address or new director) have appeared.
Sign up for “follow”: Use the free Companies House “Follow” service. It sends you an email alert the instant any document is filed for your company.
Enable PROOF: Join the PROtected Online Filing (PROOF) scheme. This prevents paper forms from being used to change your company’s details, requiring all changes to be made through a secure electronic link.
Read the full investigation at Tax Policy Associates
