Safaricom has fixed a long-standing technical loophole in its Home Fibre network that allowed thousands of customers to access internet service for free or at a heavily discounted rate. The issue dates back to at least 2018 and was only fully resolved in 2024.
The flaw, which insiders say cost the company tens of millions of shillings in lost revenue, exposed critical weaknesses in Safaricom’s broadband infrastructure when the telco was expanding rapidly. It also raises questions about internal controls, especially as Safaricom cements its dominance in Kenya’s fixed internet market.
The loophole stemmed from weak router authentication protocols on Safaricom’s fixed broadband network, two engineers familiar with the matter told TechCabal. The system used Point-to-Point Protocol over Ethernet (PPPoE), which required both a username and a password. But while usernames were unique to each user, a single, generic password was accepted across the board.
“People would often use someone’s account number as the username and apply the general password,” said one of the engineers who spoke on condition of anonymity.
Safaricom did not respond to a request for comment.
The workaround was quietly exploited by users and, in some cases, aided by Safaricom’s outsourced sales agents. When a subscription lapsed, customers could pay agents—sometimes as little as KES 1,000 ($8)—to reset the router and input new credentials. This would restore service without any official payment to Safaricom, bypassing the full monthly charges that typically range between KES 2,999 ($23) and KES 20,000 ($155).
“It became common in certain areas,” another engineer added. “The router would be reset, and someone with access to credentials would get the customer back online without Safaricom ever getting paid.”
Because the system only allowed one session per account, this workaround worked best with unused or expired accounts, many of which were hijacked without the knowledge of legitimate users. In other cases, users were knowingly complicit in the scheme. Internally, the Safaricom fibre team knew about the abuse, but the vulnerability proved difficult to resolve quickly. Parts of the system relied on legacy infrastructure from the telco’s early fibre deployment days, and fixes would have required deep changes across the network backend.
“This wasn’t something you could patch with one update,” said the engineer.
The issue persisted for years as Safaricom rapidly scaled its fixed broadband business, adding thousands of new connections monthly. But by 2024, Safaricom implemented long-overdue changes: unique, complex passwords were enforced for every account, and session restrictions were tightened to ensure that no more than one connection per account could be active at a time. It
“If one were to somehow get hold of the username and password, they would still not be able to use it as only one session is allowed,” the engineer said.
While Safaricom has not disclosed the exact revenue loss, internal estimates suggest that the loophole cost the company tens of millions of Kenyan shillings—probably more, over several years. Insiders say the losses could have been far greater had the vulnerability not been quietly managed and eventually resolved.
According to the latest regulator data, Safaricom controls 36.5% of Kenya’s fixed internet market and serves 678,118 customers, making it the country’s largest internet service provider.
Mark your calendars! Moonshot by TechCabal is back in Lagos on October 15–16! Join Africa’s top founders, creatives & tech leaders for 2 days of keynotes, mixers & future-forward ideas. Early bird tickets now 20% off—don’t snooze! moonshot.techcabal.com
