News

About

Home Latest News Polymarket: 300,000 records posted; data public, not breached

Polymarket: 300,000 records posted; data public, not breached

Author Aiko Tanaka
Posted: 29 April 2026, 11:49 CET | Updated: 29 April 2026, 12:15 CET 2 min read

Polymarket says roughly 300,000 records posted on a dark-web forum were publicly accessible via its APIs and on-chain history, not the result of a system breach.

On April 28, 2026, a user on a cybercrime forum posted roughly 300,000 records it tied to Polymarket, including user profiles, comments and market data. Polymarket responded that the information was publicly accessible through its documented APIs and on-chain history and was not the result of a platform breach.

The forum listing, attributed to an account calling itself xorcat, advertised a 750 MB package that the seller said contained about 10,000 user profiles, 4,111 comments, 48,536 markets from Polymarket’s Gamma API and more than 250,000 active markets from its central limit order book (CLOB) API. The post also listed follower lists, reward configurations and internal user identifiers.

The package allegedly included proof-of-concept exploit code. The advertised exploits covered an Axios proxy bypass tracked as CVE-2025-62718, a cross-origin resource sharing (CORS) misconfiguration on the CLOB API, a Next.js middleware authentication bypass and a pagination flaw the seller said accepted unlimited query sizes. The post claimed Polymarket had no bug bounty program and said the platform was not notified before the data was published.

Polymarket responded on X, posting: “Part of the beauty of being on-chain is all our data is publicly auditable… this is a feature, not a bug. No data was ‘leaked’ — it’s accessible via our public endpoints & on-chain data.” The Polymarket Developers account added: “You ‘compromised’ our platform by accessing publicly accessible API endpoints & on-chain data and… *checks notes* are trying to sell the data we offer developers for free? Which VC paid you to post this?”

The company noted it operates a $5 million bug bounty program hosted with security firm Cantina and clarified that scraping public API endpoints does not qualify for a reward. Eligible submissions must involve verified vulnerabilities that affect funds, smart contracts or private user data.

Polymarket pointed users to its API documentation and said much of the flagged information can be reconstructed from on-chain history or public endpoints. Security researchers and users will monitor whether any of the claimed proof-of-concept exploits allow access beyond data already exposed through public APIs and on-chain records.

Aiko Tanaka
Author

Articles by this author

VanEck Foresees $1M Bitcoin Within Five Years
VanEck Foresees $1M Bitcoin Within Five Years
3 days ago
JPMorgan, Mastercard and Ripple Settle Tokenized Treasury
JPMorgan, Mastercard and Ripple Settle Tokenized Treasury
3 days ago
Anchorage launches Agentic Banking to give AI access to capital
Anchorage launches Agentic Banking to give AI access to capital
4 days ago
Banks Urge Tightening of Clarity Act Stablecoin Language
Banks Urge Tightening of Clarity Act Stablecoin Language
5 days ago
Banking Circle launches MiCA-backed stablecoin settlement
Banking Circle launches MiCA-backed stablecoin settlement
apr 28

Latest News

MORE
Stablecoins Hit T as AI Agents Start Paying

Stablecoins Hit $33T as AI Agents Start Paying

3 days ago 3 min read
VanEck Foresees M Bitcoin Within Five Years

VanEck Foresees $1M Bitcoin Within Five Years

3 days ago 2 min read
JPMorgan, Mastercard and Ripple Settle Tokenized Treasury

JPMorgan, Mastercard and Ripple Settle Tokenized Treasury

3 days ago 2 min read
White House to Detail Strategic Bitcoin Reserve Soon

White House to Detail Strategic Bitcoin Reserve Soon

3 days ago 2 min read
MORE