Earn up to 50% APR
Boost earnings with NFTs
Play, HODL & earn more
Polymarket Dismisses Data Breach Claims Saying the Exposed Information Is Publicly Available by Design
-
Polymarket has pushed back against claims of a data breach after a threat actor known as xorcat posted approximately 300,000 records on a cybercrime forum, including user profiles, market data, comments, and alleged proof-of-concept exploit code. The platform responded within hours, stating that all data flagged in the post is either auditable on-chain or accessible through its documented public API endpoints. The company described the situation as a feature rather than a vulnerability, pointing to the transparent nature of on-chain infrastructure where market activity is publicly visible by design. Polymarket also directed users to its API documentation, noting that researchers can access the same information for free without purchasing anything from a forum seller.
The forum post advertised a 750 MB package containing roughly 10,000 user profiles, 4,111 comments, 48,536 markets from Polymarket's Gamma API, and more than 250,000 active markets from its CLOB API, along with follower lists and internal user identifiers. The actor also claimed to have bundled proof-of-concept exploits covering an Axios proxy bypass, a CORS misconfiguration on the CLOB API, a Next.js middleware authentication bypass, and a pagination flaw allowing unlimited query sizes. Polymarket separately rebutted the claim that it has no bug bounty program, pointing to its $5 million program hosted with Cantina, while clarifying that scraping public API endpoints does not qualify for rewards. Eligible submissions are limited to verified vulnerabilities affecting funds, contracts, or genuinely private user data.
-
The threat actor bundled CORS misconfigurations with public API data and Polymarket responded by pointing to the API documentation, one of these responses addresses the actual concern.
