Safaricom has finally resolved a deep-rooted security flaw in its Home Fibre network that allowed internet theft for nearly six years.
The breach, tied to outdated authentication protocols, reportedly drained the company of tens of millions of Kenyan shillings before it was closed in 2024.
According to two engineers directly involved, the vulnerability arose from Safaricom’s use of a Point-to-Point Protocol over Ethernet (PPPoE) system that assigned unique usernames but permitted a single, generic password across all accounts.
“People would often use someone’s account number as the username and apply the general password,” one engineer revealed, speaking anonymously to TechCabal.
This loophole, known to insiders for years, allowed thousands of users to bypass Safaricom’s official billing. In many instances, outsourced sales agents facilitated the fraud, accepting informal payments as low as KES 1,000 to reset routers and input fresh credentials.
This restored internet services without routing payments through official Safaricom channels. Monthly charges for legitimate fibre packages typically ranged from KES 2,999 to KES 20,000.
The breach reveals huge gaps in Safaricom’s internal security. Although the company tops Kenya’s fixed internet market, holding a 36.5% market share with over 678,000 subscribers, it failed to promptly address backend weaknesses linked to legacy infrastructure.
Engineers disclosed that fixing the problem required fundamental backend changes, not simple software patches. “This wasn’t something you could patch with one update,” said another source familiar with the system.
Insiders claim the vulnerability continued partly because addressing it risked disrupting ongoing expansion efforts. Between early 2024 and Q1 2025 alone, Safaricom added over 56,000 new connections, intensifying operational pressure.
By 2024, however, decisive changes were enforced: every Home Fibre account now carries unique, complex passwords, and session management protocols have been tightened to restrict accounts to a single active session at any given time.
“If one were to somehow get hold of the username and password, they would still not be able to use it as only one session is allowed,” an engineer confirmed.
Safaricom has not disclosed the financial damage, but internal estimates suggest tens of millions of shillings were lost. The company did not respond to direct requests for comment.
This incident stresses the risks across African broadband markets, where aggressive network expansion usually outpaces cybersecurity upgrades.
The flaws in Safaricom’s system show challenges faced by providers globally who rely on outdated PPPoE systems without upgrading to more secure authentication methods like MAC-based or certificate-based access.
At the recent Connected Africa Summit 2025, Safaricom itself acknowledged sector-wide risks, advocating for shared infrastructure models to cut deployment costs and enhance oversight.
