Key Highlights
- Polymarket asserts that the much-ballyhooed “leak” of 300,000 records is merely a collection of public on-chain and API data-like saying your diary isn’t really private if it’s just sitting on the kitchen table.
- This alleged dataset was reportedly stitched together using undocumented API endpoints, weak pagination controls, and misconfigurations, all thanks to an exploit kit that was probably shared over a cup of coffee in a cybercrime forum.
- While Polymarket insists the claims are misleading, critics have raised eyebrows, arguing that aggregating public data-especially in such a messy way-could lead to some very real security and privacy concerns. You know, like leaving your front door wide open while shouting, “Come rob me!”
So, here we have Polymarket, the prediction market platform that has flat-out denied allegations of a security breach after whispers emerged that more than 300,000 records, along with an exploit kit, were tossed around like confetti on a cybercrime forum.
This little scandal was unearthed by the ever-vigilant Dark Web Informer on X, attributing the debacle to a character ominously dubbed “xorcat.” Apparently, this person managed to extract the dataset on April 27, 2026, using a hodgepodge of undocumented API access points and some glaring misconfigurations, proving once again that if you look hard enough, you can find a way to mess things up.
😂 “compromised”?
Part of the beauty of being on-chain is that all our data is publicly auditable… this is a feature, not a bug. No data was “leaked” – it’s accessible via our public endpoints & on-chain data.
Instead of paying for the data, you can access it for free via our APIs.
– Polymarket (@Polymarket) April 28, 2026
Platform insists data is public, not leaked
Polymarket has pushed back against the characterization of this incident, asserting that the data in question is as public as a town square during a parade. They maintain that their on-chain architecture purposely makes data auditable and available through public endpoints. Their message? No private data was compromised-think of it as a buffet where everything is laid out for everyone to see. And guess what? You can access the same info freely through their APIs. It’s like offering free samples at a supermarket-delicious, but not exactly a closely guarded secret.
What the leak allegedly contains
Despite their fervent denials, the dataset described by the threat actor is rumored to include a treasure trove of platform data that reads like a poorly kept diary: user profiles, activity records, and market information.
It supposedly features around 10,000 user profiles replete with metadata, including names, pseudonyms, bios, profile images, and wallet-linked addresses. Who knew that sharing your life online could lead to such a charmingly chaotic data tapestry? Throw in thousands of comments tied to user accounts and extensive records from Gamma and central limit order book markets, and you’ve got yourself quite the digital soap opera.
Moreover, the dataset is said to map follower relationships and reward configurations linked to USDC contracts, not to mention internal identifiers buried within platform metadata, which could allow anyone with half a brain to reconstruct user activity patterns. Think of it as a detailed map of your neighbor’s backyard-intrusive, but technically legal.
Technical claims behind the extraction
The mischievous threat actor claims they assembled the dataset by exploiting gaps in Polymarket’s API infrastructure, which sounds far more dramatic than it probably is. This included using undocumented endpoints and weak pagination controls that enabled large-scale data extraction-sort of like finding a backdoor into a concert that never sold tickets in the first place.
Some endpoints were reportedly accessible without authentication, including those tied to comments, reports, and follower data, because who needs security when you can just leave the door ajar? The leak package was allegedly equipped with automated scripts capable of continuously extracting data until someone finally woke up and secured the place.
Referenced vulnerabilities and exploit kit
The disclosure cites multiple known vulnerabilities, including an Axios-related proxy bypass that could enable server-side request forgery-a fancy way of saying it could let someone pull off a heist without even being there. There’s also a middleware authentication bypass affecting Next.js applications, which sounds like it should come with a warning label.
In addition, it highlights insufficient validation of API parameters and exposure of endpoints without proper access controls. The shared package reportedly includes proof-of-concept exploits, a structured technical report, and additional datasets. In layman’s terms, it’s like giving a thief the blueprints to your house before they come in.
Gaps between claims and response
While Polymarket stands firm, insisting that the data is public and not the result of a breach, their response appears to sidestep the specific technical claims concerning API misconfigurations and exploit methods thrown around by the threat actor-kind of like dodging a dodgeball in gym class.
The actor claims no prior disclosure was made to the platform and alleges the absence of a bug bounty program-though these points remain as unverified as my aunt’s claim that she once met Elvis.
Wider context
This entire episode highlights the ongoing tug-of-war between transparency in on-chain systems and the expectations surrounding data exposure. Even when data is technically public, bundling it up and presenting it in one big bowl can raise serious questions about user privacy and platform safeguards-much like serving raw fish at a potluck.
As it stands, the situation remains unresolved, with competing claims about whether this incident reflects a security failure or simply the reuse of openly accessible data. Either way, it seems we’re all just waiting for the next plot twist in this data drama.
Read More
- Last Furry: Survival redeem codes and how to use them (April 2026)
- Honor of Kings April 2026 Free Skins Event: How to Get Legend and Rare Skins for Free
- Gold Rate Forecast
- Clash of Clans: All the Ranked Mode changes coming this April 2026 explained
- COD Mobile Season 4 2026 – Eternal Prison brings Rebirth Island, Mythic DP27, and Godzilla x Kong collaboration
- Honor of Kings x Attack on Titan Collab Skins: All Skins, Price, and Availability
- Brawl Stars x My Hero Academia Skins: All Cosmetics And How to Unlock Them
- FC Mobile 26 TOTS (Team of the Season) event Guide and Tips
- Silver Rate Forecast
- Gear Defenders redeem codes and how to use them (April 2026)
2026-04-29 00:04