Third-party exposure removes user funds
Journalist
Hassan Shitu
Journalist
Share
Polymarket has confirmed that the recent leak affecting wallet user accounts was caused by a security vulnerability linked to a third-party authentication provider, with users complaining for days that their balances were empty after an unexplained login attempt.
The issue of the decentralized prediction market platform has now been fixed and there is no ongoing threat, although it did not say how many users were affected or the total value of the money lost.
Login emails, empty accounts: Polymarket users describe sudden financial losses.
Reports of suspicious activity began circulating on X and Reddit earlier this week, with many users reporting receiving multiple login notification emails despite not attempting to access their accounts.
In many cases, users reported logging in hours later to find their site locked and balances near zero.
One Reddit user wrote that three login attempts were flagged and their email and other online accounts showed no signs of compromise.
Another user provided a detailed account suggesting that the platform's one-time password system may have included weaknesses at the time of the breach.
Depending on the user, login codes are only three digits long and may be vulnerable to brute force attempts. The user commented that Polymarket apparently increased the OTP length to six digits shortly after the incident, though the company has not publicly commented on that particular claim.
User reports pointed to a common thread among the affected accounts. Many said they signed up through Magic Labs, a popular onboarding service that requires users to log in with email addresses and automatically creates non-custodial Ethereum wallets.
Magic Labs is widely used by new crypto users who don't already manage their own wallets.
Polymarket did not name the authentication provider involved, but admitted in a message posted on its official Discord channel that the vulnerability came from a third-party service.
The platform said it would contact affected users directly, but did not provide details on compensation or recovery options.
Third-party breaches continue to disrupt crypto platforms.
The incident is not the first time that Polymarket has faced security concerns related to external services.
In September 2024, users logged in with Google accounts reported wallet withdrawals involving unauthorized proxy transactions that moved USDC funds to phishing addresses.
At the time, Polymarket investigated the incidents for potential exploits related to third-party authentication tools.
Recently, a phishing campaign that abused the forum's comment sections resulted in over $500,000 in losses after users were redirected to fake login pages.
The breach comes amid a broader boom in third-party security breaches in the crypto and tech sectors. This week, crypto tax software company Coinly warned users that email addresses could be exposed following a breach of Mixpanel, the analytics provider it previously used.
Coinley reports that no financial/tax information has been compromised and that it does not use its services.
Elsewhere, Swiss crypto platform SwissBorg reported a 41 million loss earlier this year due to a compromise by API provider attackers, while Discord and several DeFi protocols also reported attacks related to external providers.
Security researchers have issued a series of warnings that the use of third-party infrastructure can increase vulnerability, especially as crypto platforms grow.
Trending news, recommended popular crypto topics, price predictions
