Safaricom has finally resolved a longstanding security loophole in its Home Fibre network that enabled internet theft for nearly six years. The vulnerability, linked to outdated authentication protocols under the PPPoE system, allowed widespread unauthorized access and reportedly cost the company tens of millions of Kenyan shillings before being fixed in 2024.
The flaw permitted users to log in using any Safaricom Home Fibre account number alongside a single, widely-known generic password. According to engineers involved in the fix, some outsourced sales agents exploited this loophole, charging unofficial fees to reset routers and input new credentials—bypassing official billing systems. As a result, thousands of users enjoyed uninterrupted internet at a fraction of the official costs.
Despite its leadership in Kenya’s fixed internet market with a 36.5% share and over 678,000 subscribers, Safaricom delayed addressing the vulnerability due to the complexity of required backend changes and potential disruptions to its rapid expansion. Internal sources revealed that the issue could not be solved with software patches and demanded a total overhaul of session and password management systems.
By 2024, the telco enforced tighter security measures, including unique complex passwords for each user and restricted session management that allows only one active login per account. While Safaricom has not publicly disclosed the financial toll, internal assessments indicate major revenue losses. The case underscores broader cybersecurity challenges in Africa’s fast-growing broadband sector, where infrastructure growth often outpaces digital security reforms.