Prediction market Polymarket has blamed unidentified third-party login providers for some recent account breaches reported by users.
The platform confirmed the security incident on its Discord channel after users reported missing funds and suspicious login attempts.
Social media posts on Reddit and X revealed that some users received unexpected login alerts and then discovered that their balances had been deleted. One user said that while their device was not compromised and no other services were affected, their account was down to just a penny.
Another user on X said they lost around $2,000 despite enabling two-factor authentication. A third user said their “top 1000” Polymarket account had been drained, while a fourth said a test account had been drained.
While Polymarket did not name the provider in question, some users pointed to Magic Labs, which allows email-based login and automatically creates wallets for users. The tool is popular for making it easily accessible to newbies without a crypto wallet, making it a common entry point to Polymarket and other platforms.
The company acknowledged the issue but did not disclose how many users were affected or the amount stolen.
“We recently discovered and resolved a security issue that affected a small number of users. The issue was caused by a vulnerability introduced by a third-party authentication provider,” a company spokesperson said on Discord. “Polymarket takes security very seriously and the issue has been resolved. There is currently no ongoing risk and affected users will be contacted.”
Polymarket and Magic Labs did not immediately respond to emails seeking comment.
