Polymarket Says Third-Party Login Flaw Led to User Account Breaches

Overview

• Polymarket confirmed on its Discord that a vulnerability in a third-party authentication provider caused breaches affecting a small number of accounts and said the issue has been remediated.
• Several users reported unexpected login alerts followed by wiped balances, with some saying their email accounts had two-factor authentication enabled and showed no signs of compromise.
• The company did not identify the provider or disclose the number of affected users or total losses, and it said it will contact impacted customers.
• Users on Reddit and X pointed to Magic Labs’ email-based “magic link” onboarding as a common thread, though Polymarket has not confirmed the provider involved.
• The incident follows prior Polymarket security episodes tied to third-party logins and phishing in 2024, a recurring risk that looms larger as the platform scales and engages with the CFTC.