By 
Safaricom has quietly resolved a long-standing vulnerability in its Home Fibre network that allowed thousands of users to access broadband services without paying or at significantly reduced rates. The flaw, which dates back to at least 2018, was only fully addressed in 2024—after years of revenue leakage and growing concerns about system integrity.
Sources close to the matter estimate the loophole may have cost Kenya’s largest telecoms operator tens of millions of shillings in lost income. The issue exposed serious gaps in the company’s infrastructure and internal controls, particularly as Safaricom rapidly expanded its dominance in the country’s fixed broadband market.
Generic Credentials Behind the Exploit
The vulnerability stemmed from Safaricom’s use of Point-to-Point Protocol over Ethernet (PPPoE) on its fibre network. While PPPoE required both a username and password to authenticate access, insiders revealed that the system accepted a single, universal password for multiple accounts, making unauthorized logins surprisingly easy.
“People would simply use a known account number as a username and apply the default password,” said an engineer familiar with the system, who requested anonymity.
This workaround was widely abused, often with the assistance of Safaricom’s outsourced sales agents. Customers whose subscriptions had expired could pay agents informal fees—as little as KES 1,000 (approx. $8)—to reset their routers using compromised or recycled login credentials, bypassing Safaricom’s official billing system. Legitimate subscription fees typically ranged from KES 2,999 to KES 20,000 ($23 to $155).
“It was an open secret in some neighborhoods,” another engineer confirmed. “Once the router was reset, agents or insiders with access to old credentials could get the user back online without triggering Safaricom’s billing system.”
Legacy Systems Delayed Fixes
The vulnerability persisted due to legacy components within the telco’s early fibre deployment. Engineers say patching the flaw wasn’t a simple fix and required a significant overhaul of backend systems.
“This wasn’t something you could resolve with a software patch,” an insider explained. “The system architecture itself needed to evolve.”
Despite internal awareness, Safaricom’s rapid network expansion—adding thousands of new customers monthly—meant the issue lingered. It wasn’t until 2024 that the company implemented a comprehensive fix: enforcing unique, complex passwords for every account and tightening session restrictions to block concurrent logins from different locations.
Even if someone now obtains valid login details, “they won’t be able to use them unless the main user is offline,” said the source.
Financial and Market Impact
Safaricom has not issued an official statement or disclosed exact losses. However, internal estimates indicate the flaw drained the company of significant revenue over the years. Insiders believe the losses could have ballooned further had the loophole remained unchecked.
According to the Communications Authority of Kenya, Safaricom currently serves 678,118 customers and controls 36.5% of the country’s fixed internet market, making it Kenya’s leading internet service provider.
As the company now works to rebuild trust and reinforce system integrity, the episode underscores the importance of robust cybersecurity practices—even in legacy infrastructure—and the hidden risks of rapid digital expansion without sufficient oversight.
Comments