Nairobi: Safaricom, Kenya’s largest internet service provider, has finally patched a critical vulnerability in its Home Fibre network that allowed thousands of users to access internet services for free or at heavily reduced rates. The issue, which went undetected for years, originated from flawed router authentication protocols dating back to 2018 and was only fully resolved in 2024.
The exploit centered around Safaricom’s use of Point-to-Point Protocol over Ethernet (PPPoE), which required a unique username but accepted a generic password across multiple accounts. This made it easy for users to guess login credentials and gain unauthorized access to internet services.
According to insiders, some users were assisted by Safaricom’s own sales agents who charged as little as KES 1,000 to reset routers and input unofficial login credentials, bypassing monthly subscription fees that normally ranged from KES 2,999 to KES 20,000.
“The workaround became widespread in certain areas,” said one engineer. “It involved using expired or inactive accounts to restore service without the company receiving payment.”
Though the issue was known internally, Safaricom faced challenges in addressing it due to its reliance on legacy infrastructure. A comprehensive fix required systemic upgrades across the network.
By 2024, Safaricom rolled out crucial updates: enforcing unique, complex passwords for every user and limiting each account to a single active session. This effectively blocked unauthorized access, even when credentials were leaked or shared.
Internal sources estimate the flaw cost Safaricom tens of millions of Kenyan shillings in lost revenue over the years. With over 678,000 fixed internet subscribers and a 36.5% market share, the telco has since reinforced its security and backend systems to prevent future breaches.
Safaricom has not officially commented on the issue but is reportedly continuing its review of internal controls and legacy systems as part of broader infrastructure reforms.
