Fuite de données Polymarket 10 000 utilisateurs
On April 27, 2026, Polymarket was reportedly involved in a major data incident affecting 10,000 user profiles, according to claims made by a user named xorcat on DarkForums. Approximately 300,000 records were allegedly extracted using undocumented API endpoints and other technical vulnerabilities. This situation raised concerns about the security measures in place at Polymarket, despite their statement that the data was fully accessible through public API endpoints as part of normal blockchain operations.
Polymarket has denied any unauthorized data leak, describing the collected data as publicly available and not confidential, which is accessible to developers via free API connections.
Claims posted by user xorcat on DarkForums and shared via the X account of Dark Web Informer describe the alleged extraction as relying on undocumented API endpoints combined with the bypassing of pagination controls to retrieve large volumes of data. The report states that a misconfigured Cross-Origin Resource Sharing (CORS) setting on Polymarket’s Gamma API and on its CLOB API was exploited to access those endpoints. The material offered with the claims reportedly included functional proofs of concept for multiple vulnerabilities (CVE identifiers) and an automated extraction script to perform the data retrieval. The extraction is reported to have occurred on April 27, 2026, as indicated in the original post shared on the Dark Web Informer X account. The account specifically cited the Gamma and CLOB API endpoints as the vectors used in the extraction.
Polymarket denied any data breach and said the aggregated records described in the claims reflected normal blockchain operations and were accessible through public endpoints and free developer APIs. The company stated that the aggregated datasets were already available to developers at no cost via API connections and that none of the data were confidential.
Polymarket included a direct statement: “‘Compromised’? One of the great advantages of the blockchain is that all our data are publicly auditable… it is a feature, not a bug. No data ‘leaked’: they are accessible via our public endpoints and the blockchain data. Instead of paying to access the data, you can do so for free via our APIs.”
Polymarket maintained that these points meant there had been no unauthorized data leak and that the material in question represented publicly accessible information.
Polymarket engaged with the U.S. Commodity Futures Trading Commission (CFTC) as part of efforts to return to the U.S. market. The platform has prohibited American users from trading on its international platform since 2022. Public reporting also noted that the American-user restriction can be bypassed using a virtual private network (VPN). These items were cited in contemporaneous coverage of Polymarket.
These regulatory and access details were reported alongside other developments concerning the platform. They supply background context referenced in other sections of this article below.
Claims posted by xorcat on DarkForums and shared via the X account of Dark Web Informer alleged an extraction affecting 10,000 user profiles and approximately 300,000 records. The report described use of undocumented API endpoints, pagination bypass, and misconfigured CORS on Polymarket’s Gamma and CLOB APIs to retrieve data. Polymarket denied a data breach, stating the aggregated records reflect normal blockchain operations and are accessible via public endpoints and free APIs. Bloomberg reporting noted Polymarket’s engagement with the CFTC and that Americans have been barred from trading on the international platform since 2022, a restriction reported as bypassable via VPN.
