Polymarket Hit by Third-Party Auth Flaw, Users Lose Funds

• A third-party authentication flaw bypassed Polymarket’s two-factor protection, enabling unauthorized account access and withdrawals.
• Users reported drained balances, including top accounts, with some losing thousands despite no device compromise.
• Polymarket fixed the vulnerability and will contact affected users, but total losses and account numbers remain undisclosed.

Polymarket confirmed a security breach this week after users reported drained accounts and suspicious login activity on the platform. The incident occurred on Polymarket’s prediction market platform, with reports surfacing on Reddit and X on Tuesday. According to the company, a third-party authentication flaw bypassed two-factor protection, enabling unauthorized access and fund withdrawals.

User Reports Trigger Platform Response

Notably, users began flagging the issue after receiving unexpected login alerts tied to their Polymarket accounts. Several users reported multiple login attempts before balances disappeared.

One Reddit user said their account balance dropped to $0.01 overnight, despite no device compromise. Another user on X reported losses of about $2,000, even with two-factor authentication enabled.

However, reports did not remain isolated to one platform. Additional users on X said attackers drained both high-ranking and testing accounts. One user claimed their “top 1000” Polymarket account was fully emptied. As these reports spread, users questioned how attackers bypassed existing security layers.

Third-Party Login Tool Under Scrutiny

As attention shifted to authentication methods, several users pointed to Magic Labs as a possible source. Magic Labs provides email-based login services and automatically generated wallets for users.

The tool allows newcomers without crypto wallets to access platforms like Polymarket. Users claimed affected accounts were created using Magic Labs, despite no phishing emails received.

Meanwhile, Polymarket did not confirm the provider’s identity. However, the company stated the vulnerability originated outside its core infrastructure. Polymarket emphasized that the issue stemmed from a third-party login provider and not internal systems.

Polymarket Confirms Fix, Withholds Details

According to a statement shared on Polymarket’s Discord, the company identified and resolved the vulnerability. The platform said the issue affected a “small number of users” and confirmed no ongoing risk. Polymarket added it would contact impacted users directly.

However, Polymarket did not disclose how many accounts were affected or the total funds lost. Magic Labs also did not respond to media inquiries. Notably, this follows similar user reports in late 2024 involving Google-based logins.