Safaricom has finally plugged a major vulnerability in its Home Fibre network that allowed thousands of customers to enjoy internet services for free or at steeply discounted rates for years, costing the company tens of millions of dollars in lost revenue.
The flaw, which insiders say existed as far back as 2018, was only fully resolved in 2024. It exploited weak router authentication protocols in Safaricom’s fixed broadband infrastructure—exposing serious security gaps during a period of rapid expansion.
According to two engineers familiar with the issue, the vulnerability centred on the telco’s use of Point-to-Point Protocol over Ethernet (PPPoE), a standard that requires a unique username and password to authenticate each user. However, while usernames were unique per customer, a single generic password worked across all accounts, enabling easy exploitation.
“People would often use someone’s account number as the username and apply the general password,” one engineer revealed, adding that this practice was widespread and, in some cases, facilitated by Safaricom’s outsourced sales agents.
Customers whose subscriptions had expired could reportedly pay as little as $8 to have an agent reset the router and reconfigure it with alternate credentials—bypassing official channels and Safaricom’s regular monthly rates, which typically range from $23 to $155.
“This became common in certain areas,” another engineer said. “Expired accounts were recycled or hijacked, and Safaricom wouldn’t receive a cent.”
The workaround worked best with dormant or cancelled accounts and was hard to detect since only one session per account was allowed—making it unlikely the original account holder would notice.
Despite awareness of the issue internally, Safaricom’s technical teams struggled to fix the problem quickly. Much of the fibre network’s backend still relied on legacy systems from its early deployment, making a full resolution complex and time-consuming.
“This wasn’t something you could patch with one update,” the source added.
By 2024, however, Safaricom had rolled out structural changes to finally close the loophole. The new system enforces unique, complex passwords for every account and limits each to a single active session—rendering unauthorised access nearly impossible.
“If someone were to get a username and password now, they still wouldn’t be able to connect unless the legitimate user was offline,” the engineer explained.
While Safaricom has not publicly commented or disclosed how much revenue was lost, internal estimates suggest the cumulative losses could be substantial—potentially in the tens of millions of dollars if unaddressed.
Despite the years-long abuse, the telco has emerged with its market leadership intact. According to the Communications Authority of Kenya, Safaricom now holds 36.5% of the country’s fixed internet market, with 678,118 customers, making it Kenya’s largest ISP.
