A broken access control flaw in the UK Government’s Companies House WebFiling service exposed private dashboard data for approximately five million registered UK companies between October 2025 and approximately March 2026. Any authenticated user could access another company’s filing dashboard, including director home addresses, dates of birth, and email addresses, by pressing the browser back button after a failed login. The exposure window of roughly five months, combined with the trivial exploitation method, creates material risk of identity fraud, targeted phishing against directors, and potentially fraudulent company filings.