Polymarket has just confirmed that a security breach has affected certain user accounts. It indicates that a vulnerability linked to a third-party authentication provider would have allowed unauthorized access and led to losses for several victims. The platform claims to have corrected the problem and indicates that there is no longer a persistent risk.
In brief
- Polymarket has confirmed that a security breach linked to a third-party authentication provider allowed some accounts to be hacked
- On X and Reddit, victims describe login attempts followed by a drained balance, and some suspect a link to Magic Labs without official confirmation
- Polymarket claims to have fixed the vulnerability, says there is no longer any ongoing risk and promises to contact affected accounts.
What Polymarket admits and what it keeps silent
Polymarket confirmed on Discord that it had identified and resolved a security incident. The latter would have affected a small number of users, and would be linked to a flaw in a third-party authentication provider. This situation comes as the platform seemed to be regaining strength despite certain concerns in the market.
The Polymarket platform does not give the number of accounts impacted, nor the total amount of losses, nor the name of the supplier in question. This absence is not a detail. But, in safety, what we don't say quickly becomes the playground for speculation.
And then there is the formula “no persistent risk”. She reassures, obviously. But it doesn't answer the simplest question. Indeed, how can an authentication flaw lead to funds being emptied so quickly? As long as the precise mechanism is not explained, doubt sets in and the “Polymarket security flaw” becomes an unfortunately living keyword.
Magic Labs: the ideal suspect
On the networks, many are pointing the finger at Magic Labs because the testimonials seem to focus on accounts created via this type of “email to automatic wallet” connection.
This suspicion did not come out of nowhere. Polymarket has long documented registration via Magic Labs (email connection without password) to simplify onboarding. Magic, for its part, clearly explains that its embedded wallets create non-custodial wallets upon connection, via different authentication methods.
But be careful! At this stage, Polymarket has not publicly confirmed which provider is involved. Additionally, it has not published any comprehensive technical analysis. Clearly, Magic Labs is a name that “fits” the scenario but the public inquiry has not delivered its final word.
The most ironic thing is that Polymarket has already been caught up with this theme. In September 2024, users were complaining about drains of funds after logging in via Google. This resulted in USDC transfers to phishing addresses, while wallet extension users seemed less exposed. And if that wasn't enough, a phishing campaign was reported via comments in November 2025, with over $500,000 in losses reported.
Maximize your Tremplin.io experience with our 'Read to Earn' program! For every article you read, earn points and access exclusive rewards. Sign up now and start earning benefits.
