For years, thousands of Kenyan internet users quietly accessed Safaricom Home Fibre at a fraction of the actual cost or even for free thanks to a little-known vulnerability within the telco’s router authentication system. Now, that digital shortcut has officially been closed.
Safaricom, Kenya’s largest telecommunications provider, has confirmed a significant update to its Home Fibre infrastructure. The fix effectively blocks what had become a widespread underground hustle: using shared PPPoE credentials and insider tactics to bypass legitimate subscriptions.
What Was the Safaricom Home Fibre Loophole?
At the heart of the issue was a security flaw in Safaricom’s use of Point-to-Point Protocol over Ethernet (PPPoE) authentication for its routers—mainly ZTE and Huawei models. Instead of assigning unique, secure passwords to each subscriber account, Safaricom relied on a universal password shared across multiple accounts. Anyone with a valid username and the generic password could get online.
This setup left the system wide open. Tech-savvy individuals—sometimes aided by outsourced sales agents—learned that resetting routers and entering fresh login credentials from lapsed or dormant accounts would reactivate Home Fibre access without any official payment to Safaricom.
Users would pay as little as KES 1,000 to rogue agents who facilitated the reset, undercutting Safaricom’s monthly fibre packages that range from KES 2,999 to over KES 10,000. For some Kenyans struggling with the high cost of living, the temptation was strong—and the system offered little resistance.
How Safaricom Responded
The company had known about the vulnerability for years, according to engineers interviewed by TechCabal. However, any move to fix it required overhauling systems that stretched back to the early days of Safaricom Home Fibre. The workaround, while unofficial, had become embedded in how some users accessed the internet—raising the stakes for any technical fix.
In early 2024, Safaricom began implementing a permanent solution:
- Unique passwords are now assigned to every Home Fibre account, eliminating the shared-password loophole.
- A new single-session policy ensures only one connection can be active per account at a time. If a second user tries to log in, the original session is automatically kicked out.
These changes shut down unauthorized access completely. Users who had relied on the KES 1,000 hustle now face sudden disconnections. Reports indicate some of the street agents involved are now “out of work.”
Read: Safaricom Boss Becomes Highest Paid CEO on NSE with $2.2 M
Why This Matters
The closure of this loophole sends a strong message about security, accountability, and the cost of digital shortcuts. It also underlines several critical points:
- Security debt always comes due: What starts as a technical oversight can evolve into a costly vulnerability over time.
- Fraud isn’t always online: This exploit thrived not just because of software gaps but because of human factors—insiders who quietly enabled access.
- The cost of convenience: Many users knew they were accessing internet services unofficially. But the long-term effect is revenue leakage, which affects investment in better services.
What Next for Kenyan Users and ISPs?
For users, the era of cheap fibre through backdoor credentials is over. If you’re still using shared credentials or agent-installed logins, expect to be locked out soon.
For other ISPs in Kenya, the message is clear: audit your infrastructure. Any reliance on outdated authentication protocols or shared access credentials is a risk—not just to revenue but to reputation.
Safaricom’s move is a step toward greater integrity in Kenya’s digital infrastructure. With internet access becoming essential for education, business, and everyday life, telcos have a duty to deliver fair access while protecting their systems from abuse.
Final Thoughts
The internet might feel like a free space, but behind every Wi-Fi signal is an infrastructure built on trust, security, and accountability. The Safaricom Home Fibre loophole worked for a while, but eventually, the system caught up. The KES 1,000 hustle is over, and with it, a quiet chapter of Kenya’s digital street smarts.
As Safaricom tightens up its systems, users are reminded: nothing online is truly free—unless you’re on public Wi-Fi (and even then, it comes with its own risks).
