Prediction market Polymarket blamed an unidentified third-party login provider for recent account breaches reported by several users.
The platform confirmed the security incident on its Discord channel after users reported missing funds and suspicious login attempts.
Social media posts on Reddit and X show several users received unexpected login alerts and then discovered their balances had been wiped. One user said their account dropped to just one cent despite not having their devices compromised and no other affected services.
Another user on X said they lost around $2,000, despite having two-factor authentication on. A third user said their “top 1000” Polymarket account was drained, while a fourth said a testing account was drained.
While Polymarket didn’t name the provider in question, several users pointed to Magic Labs, which allows email-based logins and automatically creates wallets for users. The tool is popular and allows newcomers who don’t have crypto wallets to easily access one, making it a common entry point to Polymarket and other platforms.
The company acknowledged the issue but did not disclose how many users were affected or the amount of money stolen.
“We recently identified and resolved a security issue affecting a small number of users. The issue was caused by a vulnerability introduced by a third-party authentication provider,” a company spokesperson said on Discord. “Polymarket takes security extremely seriously, and the issue has been remediated. There is no ongoing risk at this time, and we will be in contact with impacted users.”
Polymarket and Magic Labs did not respond immediately to emails asking for comment.
