Polymarket has confirmed a recent security incident that resulted in unauthorised access to a limited number of user accounts.
The decentralised prediction market said the breach was caused by a vulnerability in an external authentication service rather than its core systems.
User complaints surfaced on platforms such as X and Reddit, detailing unexpected login alerts and sudden fund losses.
One Reddit user said they woke up to multiple login attempts despite no signs of compromise across their device or other accounts.
The user reported that all open Polymarket positions were liquidated without authorisation.
According to the post, the affected account balance was reduced to just $0.01.
Other users shared similar experiences involving repeated login notifications followed by full wallet drains.
Several victims stated they had avoided suspicious links and had not shared credentials.
Users also noted that two-factor authentication was enabled on their email accounts at the time.
These reports suggested that the breach bypassed common security protections.
Community discussion quickly focused on accounts created through third-party email-based authentication services.
Attention centred on Magic Labs, which provides simplified onboarding by generating non-custodial Ethereum wallets.
Polymarket did not publicly name the provider but acknowledged a third-party authentication vulnerability.
We recently identified and resolved a security issue affecting a small number of users. The issue was caused by a vulnerability introduced by a third-party authentication provider.
Polymarket said.
The company stated the issue has been fully resolved and there is no ongoing threat.
Polymarket also committed to contacting impacted users directly.
The platform has not disclosed the number of affected accounts or total losses.
Polymarket said its core smart contracts were not impacted by the incident.
At the time of reporting, Ethereum price was $2,956.69 .