Hacking MPESA PINs



I highly doubt this is the case… She says someone called her “with all information about…” I guess what she means here is that a stranger just wanted to let her know s/he knows about her safaricom line data. ni kama the perpetrator was showing off before he/she swapped her sim card. I dont think anyone of us in their right mind would give out details about everything regarding our saf simcards… to the extent of remembering when you started using your sim card. likewise, she is not the only one to report of such a case. I dont expect safaricom to tell us they got hacked cuz they wouldnt, ever. But I think there is something more than just “customers gave out their details.”


The pata potea folks still make money. You put too much trust in human beings.

Someone hacked Safaricom for only 20k? And anyway pins and passwords aren’t stored in plain text. Dumping the entire mpesa database would not give you access to that personal information.


nooo, I don’t assume that the client is 100% innocent. I just want to keep an open mind. Safaricom might not be innocent too. and what I mean by hacking is that when people hack a system, not all data is stolen. sometimes they just manage to capture a few details before the network administrators jump in to secure the system. you need to understand that hackers are not foolish. you cant just use all information you hacked to commit crime at once. it has to look like its the customers fault. 20k spread out to 100 clients is 2million. I also agree with you that the customer may have given out her details. but to me, in my opinion, hacking to giving out details ratio is around 10:1. the probability here is like 0.1. But it could be the case.


For legal and insurance reasons you would need to prove that Safaricom were either complicit or all out incompetent. First of all your pin is never stored in plaintext implying no one has access to it and more importantly the audit trail would link back to anyone involved in such a wild scheme.

Open up your mind then. You leaped straight to conspiracy theories without assessing the obvious.


Again , you misunderstand me. I know pins and passwords are NOT stored in plain text. For everyone viewing this, am not accusing safaricom of being hacked, so, @mister_roboto please stop saying that I have to prove this for legal and insurance reasons. Am just a normal kenyan, discussing the possible ways this could have happened. and since you keep reminding me pins are not stored in plain text, I would like to tell you that it is NOT impossible to capture such details. I would like to end this discussion here since its like am being accused of claiming that safaricom got hacked. Any safaricom insiders, I am not. I repeat, I am not claiming you got hacked. thank you.


You raised the wild fantasies mate, why play the victim now?


Whoever told you that MPESA pins cannot be hacked is a dumbfounded lie. These pins can be hacked/accessed and there are people who have access to Safaricom’s systems that can access them, including some employees.

In 2012, I happen to have met online the guy who would later be connected to the CBK 4 Billion heist last year. Well, he was also arrested and charged in court over hacking of NIC systems and Safaricom Airtime a year or two ago.

That guy, whose name I won’t mention since we all aware of him grabbed my interest when he first showed up during the days when Safaricom and other companies such as LG posted lucrative contests on Facebook.

We had a team of five friends whom we could team up to beat anyone in such competitions. We enjoyed the goodies until that guy showed up. That is when I got to know him more.

The guy would access my Facebook, Gmail, Skype, and other accounts online yet he hardly had my passwords or email. In fact, he once sent me a text message.

“Niaje Dan, ni mimi ABCD :laughing::laughing:, your mpesa pin is 1234 :laughing: :laughing:. Don’t worry how I got your number, name, and mpesa pin. Have a nice day”

So I just laugh when people say MPESA pin ni lazima ulipeana. You were tricked into saying it. Then I remember this guy. He did not have my number in the first place. May be he got it from Facebook/Twitter where we posted numbers while complaining about slow internet.


Says the guy with zero knowledge about database security.

That clown was a developer (foolishly) granted with admin rights by management. How is that a hack?

The fact that he got busted by BFID says all you need to know about his leet hacking skill.

2FA perhaps you’ve heard about it?


I might have zero knowledge about database security but you’ve skipped this part

I would love to hear your input about it :thinking::thinking::thinking:

Hater :laughing::laughing::laughing:


Nothing is hack proof. 2 Factor Auth just makes it harder not hack proof. Same as security for say your house. You can deter criminals all you want but someone who is determined to get in will get in. Safaricom are not infallible. Maybe better prepared than most but not invincible.


:laughing::laughing::laughing: you must be kidding bro


Watu… let’s maintain order… since we establish this is like an office now that has working hours. Anyway, I am also inclined to say that probably what happened to the lady is social engineering and not necessarily a hack. However,I have a concern, how was her SIM Card replaced without her being there physically to present her National ID?


This is a very weird coincidence guys
Am at the police station for this very case and i log in here and its an active topic


clarify what happened please.


Enlighten us please. pole kwa masaibu


Am also waiting to hear from @Michael_Ndiritu


Something is not just right with this mpesa hacks someone at safaricom has a hand na anakulia maybe wakenya wamekuwa mafisi sana


Back to this topic. So I have an impending deal with one of my pals. It involves big money and the guy has his own fair share of insecurities and so do I.

However, using my number he dug up a few of my details. For example, my full names which one of the name is wrongly misspelled. My date of birth and ID number.

Well, the visible misspelled name is as per Saf’s post paid records when I registered back in 2013 there. I have since ditched the service but that name gives me a hint of where my details were extracted from.

Clearly what does this mean?


Can that person tell you how he got a hold of your information?


He won’t and since we have a pending long term business engagement, that is not of threat right now. At least for me. But such information clearly means that anything is possible in regard to this post.