Key Highlights
- Polymarket confirmed a hack caused by a third-party authentication flaw, not its own systems.
- The breach mainly affected users who signed up through Magic Labs, which creates non-custodial wallets.
- Polymarket said the issue has been fixed and it will contact affected users, but total losses are undisclosed.
Polymarket, a decentralized prediction market, has confirmed that a recent hack affecting user accounts was caused by a security flaw in a third-party authentication service, and not its own core systems.
In the official Discord channel, the platform said a small number of users had their funds drained after attackers exploited the external login provider.
The issue surfaced earlier this week after users began posting on X and Reddit about suspicious login alerts followed by missing balances. One affected user wrote, “Today I woke up and see three attempts to login to Polymarket… all other services are fine,” adding that all their positions had been closed and their account balance dropped to just $0.01.
Some users expressed concern that the breach might have been related to how accounts were accessed rather than specific security flaws because their devices and email accounts did not appear to have been compromised.
Questions around third-party logins
Reports suggest the incident mainly affected users who signed up through Magic Labs. The service allows people to log in with an email address and automatically creates a non-custodial crypto wallet—a setup often used by newcomers who do not yet have their own wallets. While convenient, it depends heavily on third-party authentication systems.
Polymarket addressed the issue in a message posted on its official Discord channel, stating, “We recently identified and resolved a security issue affecting a small number of users. The issue was caused by a vulnerability introduced by a third-party authentication provider.”
The prediction market said the problem has been fixed and that there are no ongoing risks, adding that it will reach out directly to affected users. The platform, however, didn’t disclose the number of accounts impacted or the total amount of money lost.
Latest incident adds to past security concerns
Polymarket has faced security issues in the past as well. In September 2024, those using Google to access their accounts had their wallets drained. Investigators believe that the investigation related to third-party logins was a cause of this draining process.
Recently, on November 12, attackers took advantage of Polymarket’s comment function by posting phishing links that lured victims into accessing the site via phishing pages. The scam resulted in a loss of over $500,000 for Polymarket’s users, which temporarily reduced the total value locked on the site, forcing Polymarket to advise its users to be wary.
Also Read: Polymarket Odds Show 83% Chance Bitcoin Hits $80,000 Before $150,000