A critical Safaricom home fibre flaw persisted for at least six years, allowing thousands of users to bypass billing systems and access the internet for free or at heavily discounted rates. The loophole turned Safaricom’s fibre network into an informal economy where unauthorized connections thrived.
The issue lay in the authentication system used for Safaricom Home Fiber. Customers logged in through PPPoE using an account number and password — but the system accepted a universal password. Anyone with a valid account number could log in, without the account owner’s knowledge or consent.
Agents and the Underground Network
Outsourced sales agents exploited the Safaricom home fibre flaw to keep customers online for a small fee, even after their subscriptions expired. These agents would reset routers and input the shared credentials, effectively reconnecting customers outside the official billing system.
This shadow network became common in many Nairobi neighborhoods. People knowingly or unknowingly shared access. Some customers crowd-funded one connection and split the cost, bypassing monthly fees that typically ranged from KES 2,999 to 20,000.
Safaricom’s Delayed Fix
Although Safaricom’s engineers were aware of the vulnerability, fixing it required overhauling legacy systems dating back to the early days of its fibre rollout. These systems weren’t designed for scale or modern security demands.
It wasn’t until 2024 that a proper fix was implemented:
- Unique, secure passwords were enforced per user
- Session limits allowed only one device per account
- Shared logins were instantly blocked if a session was active
These changes shut down the informal access market almost overnight.
Financial and Reputational Cost
Safaricom never publicly disclosed the total losses from the Safaricom home fibre flaw, but internal estimates run into tens of millions of shillings. Lost revenue aside, the telco had to invest in system audits, customer support, and new infrastructure to close the loophole.
The breach also raised concerns about telco transparency and data security. While Safaricom remained silent on details, experts say the prolonged flaw could have damaged investor confidence if it had gone public earlier.
Broader Context and Public Disclosure
According to Techweez the system vulnerability existed from at least 2018 to 2024. The report confirmed that Safaricom’s Home Fiber service was unintentionally operating on a form of “honor system” — with one universal password accepted across all accounts.
The article also noted that while Safaricom has now fixed the issue, questions remain over why it took so long and what internal safeguards failed to flag the anomaly earlier.
Conclusion: A Hard Lesson for Telcos
The Safaricom home fibre flaw is a wake-up call to Kenya’s digital infrastructure providers. As networks expand, robust cybersecurity must be prioritized. Loopholes may go unnoticed for years, but the cost — financial and reputational — is eventually paid in full.
Safaricom still leads the fixed internet market with over 678,000 subscribers and a 36.5% share, but the incident is a stark reminder that dominance doesn’t guarantee invincibility.
Read Also:Reddit Fixes Global Outage Affecting 100,000+ Users
