TLDR

  • Polymarket has verified a security incident connected to an external authentication provider.
  • Accounts of users who registered through Magic Labs were emptied following unauthorized login activity.
  • A limited set of users was impacted, and Polymarket has since fixed the problem.
  • Polymarket pledges to get in touch with users affected by the third-party weakness.

The decentralized prediction market platform Polymarket acknowledged a security breach that compromised a number of user accounts. The incident was tied to a flaw in an external authentication service, notably affecting those who registered using Magic Labs. Impacted users stated their funds were withdrawn after noticing strange login activity.

Reports Surface of Drained Accounts

Users initially brought the breach to light on social media sites such as Reddit and X, describing how their accounts were hacked. One Reddit user recounted, “Today I woke up and see 3 attempts to login to — My device isn’t compromised, Google found nothing suspicious, all other services are fine.” This user later found all their positions liquidated and their balance nearly wiped out, leaving just $0.01.

Additional users described comparable events where their Polymarket accounts were emptied even with email two-factor authentication active. The problem seems to have mainly targeted users who signed up via Magic Labs, a service that creates non-custodial Ethereum wallets through email registration. Magic Labs is popular among newcomers to cryptocurrency who do not possess existing digital wallets.

Acknowledgment and Resolution from Polymarket

On December 23, Polymarket addressed the breach in its official Discord channel. The company confirmed it had found and remediated the issue, stating no continued threats exist. In its announcement, Polymarket explained the weakness originated from a third-party authentication provider and committed to contacting those harmed by the breach.

“We recently identified and resolved a security issue affecting a small number of users,” Polymarket stated. “The issue was caused by a vulnerability introduced by a third-party authentication provider. We will be in contact with impacted users,” the platform added.

Nevertheless, Polymarket withheld precise figures on how many users were affected or the total monetary value lost. The name of the third-party provider involved was also not revealed.

Previous Security Issues and Ongoing Concerns

This is not Polymarket’s first security problem involving external services. A similar breach happened in September 2024 concerning Google logins. Users said attackers took advantage of a flaw in a third-party authentication system, siphoning USDC from their wallets. The platform had blamed that breach on targeted exploits of the third-party service used for Google logins.

In a separate event in November 2024, a phishing attack leveraged Polymarket’s comment sections, causing user losses exceeding $500,000. Scam links posted in comments tricked users into logging in via email, resulting in stolen funds.

Ongoing Security Measures and User Safety

Polymarket stressed that the immediate security flaw has been fixed and that no residual risks are present. The platform reiterated its intention to contact affected users to provide further support.

Even with these actions, the recurrence of such incidents casts doubt on the enduring safety of platforms dependent on external authentication providers. As cryptocurrency hacks and fraud increase, users are advised to stay alert and adhere to security best practices for their accounts.